Docs: Document Node node-fetch keep-alive regression (@W-23158954@)#451
Merged
Merged
Conversation
8 tasks
b34c1cb to
e12f29e
Compare
Node.js 24.17.0 / 22.23.0 added a freeSocketDataGuard 'data' listener as a side effect of the CVE-2026-48931 fix, which node-fetch@2 misreads as a truncated response and throws false ERR_STREAM_PREMATURE_CLOSE. commerce-sdk uses make-fetch-happen and is unaffected; this documents that, cross-references the Isomorphic SDK (which depends on node-fetch@2 directly and is affected), and points readers at the fixed Node releases (24.18.0+ / 22.23.1+). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
e12f29e to
d479b75
Compare
unandyala
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
'data'listener to keep-alive sockets, whichnode-fetch@2misreads as a truncated response and throws falseERR_STREAM_PREMATURE_CLOSE. Customers running anode-fetch-based library hit this and reasonably ask whether commerce-sdk is exposed.make-fetch-happen, which has no such heuristic, so the SDK is not affected. This adds a short README section that says so, explains why, and points readers at the fixed Node releases. It also cross-references the Isomorphic SDK, which depends onnode-fetch@2directly and is affected, so a reader of this SDK's "not affected" note does not over-generalize it to the sibling. README-only, nothing in the SDK changed.Acceptance criteria
make-fetch-happen, no socket-listener heuristic).node-fetch@2runtime dependency).Test plan
node-fetch@2listenerCount('data')mechanism, all confirmed.node-fetchis neither a direct nor a dev dependency (runtime deps are@commerce-apps/core,nanoid,retry,tslib); it appears inpackage-lock.jsononly transitively, andmake-fetch-happenis the runtime HTTP path. Isomorphic SDK:node-fetch@2is a direct runtime dependency (require('node-fetch')on its Node.js path), so it is genuinely affected.Verification
Docs-only, no behavioral surface to smoke-test. Correctness here is factual accuracy of the prose, which was the focus of the test plan above. The 26.x line carries an explicit "as of June 24, 2026" date plus a link to the Node 26.x changelog, so a reader can see how stale the note is and check for a fixed release themselves rather than trusting an undated claim.
Out of scope
^20.x/^22.x); the section documents an ecosystem regression a reader might hit, not a change to what the SDK supports.Ticket
W-23158954