Skip to content

Docs: Document Node node-fetch keep-alive regression (@W-23158954@)#451

Merged
joeluong-sfcc merged 1 commit into
mainfrom
ju/node-fetch-regression-doc-W-23158954
Jun 25, 2026
Merged

Docs: Document Node node-fetch keep-alive regression (@W-23158954@)#451
joeluong-sfcc merged 1 commit into
mainfrom
ju/node-fetch-regression-doc-W-23158954

Conversation

@joeluong-sfcc

@joeluong-sfcc joeluong-sfcc commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Node.js 24.17.0 / 22.23.0 shipped a regression (nodejs/node#63989) where the CVE-2026-48931 security fix attaches a 'data' listener to keep-alive sockets, which node-fetch@2 misreads as a truncated response and throws false ERR_STREAM_PREMATURE_CLOSE. Customers running a node-fetch-based library hit this and reasonably ask whether commerce-sdk is exposed.
  • commerce-sdk's HTTP layer is make-fetch-happen, which has no such heuristic, so the SDK is not affected. This adds a short README section that says so, explains why, and points readers at the fixed Node releases. It also cross-references the Isomorphic SDK, which depends on node-fetch@2 directly and is affected, so a reader of this SDK's "not affected" note does not over-generalize it to the sibling. README-only, nothing in the SDK changed.

Acceptance criteria

  • README gains a "Node.js version compatibility" section.
  • States commerce-sdk is not affected and why (make-fetch-happen, no socket-listener heuristic).
  • Safe-version guidance: 24.x to 24.18.0+ (avoid 24.17.0); 22.x to 22.23.1+ (avoid 22.23.0).
  • Links the upstream bug (#63989) and fix (#64004).
  • Cross-references the Isomorphic SDK as the genuinely-affected sibling (direct node-fetch@2 runtime dependency).
  • No code change, no CHANGELOG entry.

Test plan

  • Every load-bearing fact verified against authoritative sources (the Node.js GitHub issue/PR and official nodejs.org release notes): the two regressed versions (24.17.0 / 22.23.0), the two fixed versions (24.18.0 / 22.23.1), the #63989 / #64004 identity, and the node-fetch@2 listenerCount('data') mechanism, all confirmed.
  • Dependency claims verified locally in both repos. commerce-sdk: node-fetch is neither a direct nor a dev dependency (runtime deps are @commerce-apps/core, nanoid, retry, tslib); it appears in package-lock.json only transitively, and make-fetch-happen is the runtime HTTP path. Isomorphic SDK: node-fetch@2 is a direct runtime dependency (require('node-fetch') on its Node.js path), so it is genuinely affected.
  • Edge of the version matrix checked: Node 20.x is correctly omitted (EOL 2026-04-30, never received the June security patch, so never regressed); 26.x (Current) regressed via v26.3.1 with no patched release as of June 24, 2026.
  • All four reference links return HTTP 200 (issue #63989, PR #64004, the Node 26.x changelog, the Isomorphic SDK repo).

Verification

Docs-only, no behavioral surface to smoke-test. Correctness here is factual accuracy of the prose, which was the focus of the test plan above. The 26.x line carries an explicit "as of June 24, 2026" date plus a link to the Node 26.x changelog, so a reader can see how stale the note is and check for a fixed release themselves rather than trusting an undated claim.

Out of scope

  • No code change; no CHANGELOG entry (the SDK did not change).
  • No change to the Prerequisites support matrix (^20.x / ^22.x); the section documents an ecosystem regression a reader might hit, not a change to what the SDK supports.
  • Documenting the Isomorphic SDK's own remediation (it has a separate ticket and PR); this PR only cross-references it so commerce-sdk readers are not misled.
  • Broadcasting beyond the README (Slack / KB) is decided separately.

Ticket

W-23158954

Node.js 24.17.0 / 22.23.0 added a freeSocketDataGuard 'data' listener as a
side effect of the CVE-2026-48931 fix, which node-fetch@2 misreads as a
truncated response and throws false ERR_STREAM_PREMATURE_CLOSE. commerce-sdk
uses make-fetch-happen and is unaffected; this documents that, cross-references
the Isomorphic SDK (which depends on node-fetch@2 directly and is affected),
and points readers at the fixed Node releases (24.18.0+ / 22.23.1+).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@joeluong-sfcc joeluong-sfcc force-pushed the ju/node-fetch-regression-doc-W-23158954 branch from e12f29e to d479b75 Compare June 24, 2026 19:27
@joeluong-sfcc joeluong-sfcc merged commit aa25c89 into main Jun 25, 2026
6 checks passed
@joeluong-sfcc joeluong-sfcc deleted the ju/node-fetch-regression-doc-W-23158954 branch June 25, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants