Replace node-fetch dependency with undici (#7705)

Update our dependency on aging `node-fetch` `v2.6.7` to `undici` `v5.26.5`.

This should fix some vulnerabilities within node-fetch as well as fix user issue #7660.

Author: DellaBitta

.changeset/real-dolls-type.md

@@ -0,0 +1,11 @@
+---
+'@firebase/auth-compat': minor
+'@firebase/firestore': minor
+'@firebase/functions': minor
+'@firebase/storage': minor
+'@firebase/auth': minor
+'firebase': minor
+---
+
+Replaced node-fetch v2.6.7 dependency with the latest version of undici (v5.26.5) in Node.js SDK
+builds for auth, firestore, functions and storage.

.yarn/releases/yarn-1.22.11.cjs

@@ -15,7 +15,7 @@
     "express": "4.18.2",
     "geckodriver": "2.0.4",
     "mocha": "9.2.2",
-    "node-fetch": "2.6.7",
+    "undici": "5.26.5",
     "selenium-assistant": "6.1.1"
   }
 }

integration/messaging/package.json

@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-const fetch = require('node-fetch');
+const undici = require('undici');
 const FCM_SEND_ENDPOINT = 'https://fcm.googleapis.com/fcm/send';
 // Rotatable fcm server key. It's generally a bad idea to expose server keys. The reason is to
 // simplify testing process (no need to implement server side decryption of git secret). The
@@ -28,7 +28,7 @@ module.exports = async payload => {
     'Requesting to send an FCM message with payload: ' + JSON.stringify(payload)
   );
 
-  const response = await fetch(FCM_SEND_ENDPOINT, {
+  const response = await undici.fetch(FCM_SEND_ENDPOINT, {
     method: 'POST',
     body: JSON.stringify(payload),
     headers: {

integration/messaging/test/utils/sendMessage.js

@@ -153,6 +153,7 @@
     "tslint": "6.1.3",
     "typedoc": "0.16.11",
     "typescript": "4.7.4",
+    "undici": "5.26.5",
     "watch": "1.0.2",
     "webpack": "5.76.0",
     "yargs": "17.7.2"

package.json

@@ -23,11 +23,15 @@
  */
 export * from './index';
 import { FetchProvider } from '@firebase/auth/internal';
-import * as fetchImpl from 'node-fetch';
+import {
+  fetch as undiciFetch,
+  Headers as undiciHeaders,
+  Response as undiciResponse
+} from 'undici';
 import './index';
 
 FetchProvider.initialize(
-  fetchImpl.default as unknown as typeof fetch,
-  fetchImpl.Headers as unknown as typeof Headers,
-  fetchImpl.Response as unknown as typeof Response
+  undiciFetch as unknown as typeof fetch,
+  undiciHeaders as unknown as typeof Headers,
+  undiciResponse as unknown as typeof Response
 );

packages/auth-compat/index.node.ts

@@ -16,6 +16,7 @@
  */
 
 const karmaBase = require('../../config/karma.base');
+const webpackBase = require('../../config/webpack.test');
 const { argv } = require('yargs');
 
 const files = ['src/**/*.test.ts'];
@@ -29,6 +30,17 @@ module.exports = function (config) {
     // frameworks to use
     // available frameworks: https://npmjs.org/browse/keyword/karma-adapter
     frameworks: ['mocha'],
+    // undici is a fetch polyfill that test helpers call for Node tests, and browser tests should
+    // ingore its import to avoid compilation errors in those test helpers.
+    webpack: {
+      ...webpackBase,
+      resolve: {
+        ...webpackBase.resolve,
+        alias: {
+          'undici': false
+        }
+      }
+    },
 
     client: Object.assign({}, karmaBase.client, getClientConfig())
   });

packages/auth-compat/karma.conf.js

@@ -54,7 +54,7 @@
     "@firebase/auth-types": "0.12.0",
     "@firebase/component": "0.6.4",
     "@firebase/util": "1.9.3",
-    "node-fetch": "2.6.7",
+    "undici": "5.26.5",
     "tslib": "^2.1.0"
   },
   "license": "Apache-2.0",

packages/auth-compat/package.json

@@ -16,6 +16,7 @@
  */
 
 const karmaBase = require('../../config/karma.base');
+const webpackBase = require('../../config/webpack.test');
 const { argv } = require('yargs');
 
 module.exports = function (config) {
@@ -26,7 +27,17 @@ module.exports = function (config) {
     // frameworks to use
     // available frameworks: https://npmjs.org/browse/keyword/karma-adapter
     frameworks: ['mocha'],
-
+    // undici is a fetch polyfill that test helpers call for Node tests, and browser tests should
+    // ingore its import to avoid compilation errors in those test helpers.
+    webpack: {
+      ...webpackBase,
+      resolve: {
+        ...webpackBase.resolve,
+        alias: {
+          'undici': false
+        }
+      }
+    },
     client: Object.assign({}, karmaBase.client, getClientConfig(argv))
   });
 

packages/auth/karma.conf.js

@@ -115,7 +115,7 @@
     "@firebase/component": "0.6.4",
     "@firebase/logger": "0.4.0",
     "@firebase/util": "1.9.3",
-    "node-fetch": "2.6.7",
+    "undici": "5.26.5",
     "tslib": "^2.1.0"
   },
   "license": "Apache-2.0",