-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update node-fetch to v3 #2415
Comments
Any updates on plans here? Trying to use swagger-client in a corporate environment, I am currently receiving security vulnerability warnings triggered by the version of |
Sorry for late response. In your case the solution is simple. Use Node.js >= 18 and npm overrides that would look like this: {
"overrides": {
"swagger-client": {
"node-fetch": "^3"
}
}
}
|
After some research I came into the following conclusion: If we want to maintain backward compatibility (which we do) we have following options 1. Use native Node.js >= 18 fetch implementationWait until Node.js >=12 <18 dies out and we'll claim that swagger-client requires Node.js >= 18. For older Node.js following polyfills can be used:
2. Use node-fetch@3 with
|
Here is PR with Node.js >= 14 support and integrating |
I would now recommend using:
i would not recommend using the forked cjs version, using async // looks kind of like this in undici
module.exports.fetch = async function fetch (resource) {
fetchImpl ??= require('./lib/fetch').fetch
return await fetchImpl(...arguments)
} it's no different from our recommendation in node-fetch/node-fetch#1279 (comment) const fetch = (...args) => import('node-fetch').then(({default: fetch}) => fetch(...args)) That way you can still use node-fetch@3 from a cjs project while still loading esm-only modules. node-fetch-cjs is not in sync with the main source. It would also however be nice to not having to download any fetch dependency at all. if i'm using NodeJS v18 or v20 then i just feel that it's a bit in vain to have to download any extra dependency. maybe some other recommendation could be to just let the user polyfill fetch with whatever implementation they prefer. or make it a optional peer dependency where you try to load fetch from either const fetch = globalThis.fetch || await import('undici')
.then(mod => mod.fetch)
.catch(err => import('node-fetch'))
.then(mod => mod.fetch)
.catch(err => {
throw new Error('fetch is missing, this require nodejs v18 or you have to install node-fetch, undici or polyfill it your self')
}) |
i would also say that it might just be the time to also drop cjs and only provide a esm-only |
Hi @jimmywarting, Thanks for input.
Yeah, that's what I ended up doing during this night. It's good that my line of thinking wasn't that off. The only issue is that I'm testing exclusively against
Tried (and will probably look into it again), but it blows up the Jest. It would also blow up any downstream project using swagger-client. Following jest config needs to be introduced to make it work: transformIgnorePatterns: [
'/node_modules/(?!(node-fetch|data-uri-to-buffer|fetch-blob|formdata-polyfill)/)',
], For not I've settled with: https://www.npmjs.com/package/node-fetch-commonjs
Well that would be ideal, but our first goal is backward compatibility and out of the box functionality. If minimum supported version is Node.js >18, we will be there automatically, but our minimum supported Node.js is currently 12.20.0. One can also decide to choose it's own fetch implementation by doing the following before importing swagger-client: globalThis.fetch = myFetchImpl;
globalThis.Headers = myHeadersImpl;
globalThis.Request = myRequestImpl;
globalThis.Response = myResponseImpl;
As said above, that would break backward compatibility. We cannot afford this now. What we'll be doing is to introduce backward compatible ESM and we'll keep it as long as possible (until one of the dep we use happens to become ESM and there will be no replacement). Thanks again @jimmywarting |
Closed by #3137 |
🎉 This issue has been resolved in version 3.21.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
node-fetch@3
is out for some it. Unfortunately it's pure ESM so we cannot use it. We need to convert this library to ESM to use it (#2414).The text was updated successfully, but these errors were encountered: