expose websocket in node bundle by KhafraDev · Pull Request #2217 · nodejs/undici (original) (raw)

@KhafraDev

@KhafraDev

mcollina

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm adding a -1 block mostly because this should be discussed with the rest of the @nodejs/collaborators, and I know more than one will object.

Given Node.js needs, this should be a semver-major for them.

I think targeting a major for undici should be good.

@GeoffreyBooth

I’ve been wanting Node to include a global WebSocket like browsers for quite a while. Sure it can be semver-major, but what are the arguments against exposing it? It feels along the same lines as fetch.

We might want to consider whether we want Undici’s WebSocket versus incorporating the ws module or other solutions, but are there objections to adding any solution?

@mcollina

ws is (for good reasons) not standard compliant.

@devsnek

What is not spec compliant? Just the extension for passing dispatcher?

@KhafraDev

ws the npm package, not undici's websocket. lpinca's comment includes a few places where ws breaks from the spec. There's also some non-standard properties exposed, some options which go completely against the spec (ie. disabling masking for performance reasons), and some other things I'm probably forgetting. It's a great library, that I based undici's impl on quite a bit with help from @/lpinca, but exposing it in node would definitely be a mistake.

@GeoffreyBooth

Assuming there’s no preferable implementation than Undici’s, what are the objections to exposing it in Node?

Should we update this PR to expose the new global WebSocket behind a flag --experimental-websocket? Then it could land and be backported, since the new flag would mean that it wouldn’t be a semver-major change. This would also let us start gathering feedback, for example if the Undici implementation has its own spec issues to fix. We’d have to resolve those (at least as much as we did for fetch) before unflagging; and the unflagging could only happen as semver-major. But at least we would start the process.

@KhafraDev

Maybe some of the comments in nodejs/node#19308? If anything, it's good to be safe and get feedback before merging this :)

@lpinca

@mcollina

Here goes the question for the @nodejs/tsc:

Given the downsides of nodejs/node#19308 (comment) and @lpinca objection, are we good in bringing a standard compliant implementation of WebSocket as a global?

@mcollina

Should we update this PR to expose the new global WebSocket behind a flag --experimental-websocket? Then it could land and be backported, since the new flag would mean that it wouldn’t be a semver-major change. This would also let us start gathering feedback, for example if the Undici implementation has its own spec issues to fix. We’d have to resolve those (at least as much as we did for fetch) before unflagging; and the unflagging could only happen as semver-major. But at least we would start the process.

Having this approach would simplify our maintenance, as we would be able to not release a major of undici, and simplify backporting.

@lpinca

@marco-ippolito

I'm +1 on this, it's the first step towards compatibility with web standard

@ShogunPanda

@targos

This PR doesn't have direct impact on node (except bundle size), right?

@targos

nodejs/node#19308 (comment) mentions fetch('wss://'). Is that implemented? Is it actually already available in Node.js?
This would make the exposition of the WebSocket constructor a small addition compared to the actual support of WebSockets.

@mildsunrise

I agree with @/lpinca on shortcomings, +1 on adding this behind a flag

@KhafraDev

@targos

mentions fetch('wss://'). Is that implemented? Is it actually already available in Node.js?

I think I misinterpreted the spec there; the websocket spec uses fetch internals, which is why it's mentioned in the fetch spec. I thought this meant that fetch would support websockets, which in hindsight doesn't make much sense (there wouldn't be a way to send or receive messages lol). https://fetch.spec.whatwg.org/#websocket-protocol

This PR doesn't have direct impact on node (except bundle size), right?

yeah

@GeoffreyBooth

@mcollina I don’t see any objections since your block, would you consider lifting it? I think we can add support for this behind an experimental flag. Then we can both backport it and continue to iterate on any spec or other issues.

With regard to the “but it’s only a WebSocket client, not also a server” . . . well, yeah, but that’s fine. If we want to ship a WebSocket server built into Node, we can do so via some other API. To use Deno as a reference:

Provides the API for creating and managing a WebSocket connection to a server, as well as for sending and receiving data on the connection.

If you are looking to create a WebSocket server, please take a look at Deno.upgradeWebSocket().

Exposing this behind a flag would let people start to explore options for solving that use case.

mcollina

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@GeoffreyBooth

@KhafraDev to be clear, I don’t think this PR can land as is, it needs to still add a flag. Perhaps --experimental-websocket? --experimental-websocket-client? And the docs need updating.

@KhafraDev

A flag would need to be added once websocket is exposed in node core (I plan on doing this once this lands). There's already an experimental warning added.

@GeoffreyBooth

A flag would need to be added once websocket is exposed in node core (I plan on doing this once this lands). There’s already an experimental warning added.

Does this PR expose anything that application authors would be able to access?

@KhafraDev

@GeoffreyBooth

Okay so if this doesn’t expose it to end users just yet, then 👍 seems fine to land this to me. Before we expose it as a public API let’s please add the flag and docs.

@JakobJingleheimer

Perhaps --experimental-websocket? --experimental-websocket-client? And the docs need updating.

If we're potentially adding both a client and server, how about --experimental-websocket=client|server (then in code, if getOption(…).includes('client')) and if getOption(…).includes('server'))).

@mcollina

I don't think there is or there should be a server implementation of this. The API is really flawed for that use case.

@mcollina

I don't think there is or there should be a server implementation of this. The API is really flawed for that use case.

@GeoffreyBooth

I don’t think there is or there should be a server implementation of this. The API is really flawed for that use case.

I wouldn’t be so categorical that Node will never have a websocket server of any kind. Deno has one, the ws module provides one. Maybe it won’t be via this API, but I wouldn’t rule out that we might add one at some point.

I’m not sure --experimental-websocket=client|server makes much sense; that seems like you have to enable only one or the other? Or pass this flag twice to enable both? I think we could maybe just have --experimental-websocket that enables both (if we ever get that far) and maybe we could make the client available unflagged when it’s ready and the flag continues to gate the server until that’s ready.

@mcollina

Not blocking that on this.

@regseb

@shellscape

I wouldn’t be so categorical that Node will never have a websocket server of any kind. Deno has one, the ws module provides one.

Given that we've been waiting for @nodejs/collaborators to act on WebSockets since Mar 12, 2018, I think it would be fair to be categorical about that.

ws is great, had been around a very long time, and meets most needs, but does have a fair amount of quirks. As someone who's been using undici as a dependency (request is so much nicer than fetch) instead of what's exposed via Node directly, I wouldn't mind an undici-dependency-only WebSocket server as part of this package. We've lived with Koa/Express/etc for well over a decade now without anything as comprehensive and complete exposed from Node core, so I'm not really sold that it's needed in Node core. I'd welcome a compliant websocket server package from the same team that's put undici together because it is quite excellent.

@tniessen

For visibility, someone independently proposed a new node:websocket module in nodejs/node#49478.

@jimmywarting

I like the Deno.upgradeWebSocket(req)

Deno.serve((req) => { if (req.headers.get("upgrade") != "websocket") { return new Response(null, { status: 501 }); } const socket = Deno.upgradeWebSocket(req);

socket instanceof WebSocket // true

socket.addEventListener("open", () => { console.log("a client connected!"); });

socket.addEventListener("message", (event) => { if (event.data === "ping") { socket.send("pong"); } });

return response; });

would like to have something like

server.on('upgrade', (req, socket) => { const socket = req.toWebSocket()

socket.addEventListener("open", () => { console.log("a client connected!") })

socket.addEventListener("message", (event) => { if (event.data === "ping") { socket.send("pong") } }) })

@mcollina

I think no one would recommend the use of WebSocket. Use the ws module, at least in servers. It's a really badly spec'd api.

@KhafraDev

I don't think undici (an http client) is the correct place to adding a Websocket server. ws is a great module, or node could use uws for a websocket server.

kodiakhq Bot referenced this pull request in X-oss-byte/Canary-nextjs

Oct 1, 2023

@renovate

kodiakhq Bot referenced this pull request in ascorbic/unpic-img

Oct 2, 2023

@renovate

kodiakhq Bot referenced this pull request in X-oss-byte/Nextjs

Oct 6, 2023

@renovate

ascorbic referenced this pull request in ascorbic/unpic-img

Oct 7, 2023

@renovate @ascorbic

kfcampbell referenced this pull request in octokit/rest.js

Oct 16, 2023

@renovate

Mend Renovate](https://renovatebot.com)

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici
(source) [5.22.1 ->
5.26.2](https://renovatebot.com/diffs/npm/undici/5.22.1/5.26.2)
age](https://docs.renovatebot.com/merge-confidence/)
adoption](https://docs.renovatebot.com/merge-confidence/)
passing](https://docs.renovatebot.com/merge-confidence/)
confidence](https://docs.renovatebot.com/merge-confidence/)

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

@​ronag in https://github.com/nodejs/undici/pull/2121

New Contributors

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

renovate Bot referenced this pull request in specfy/specfy

Oct 16, 2023

@renovate

Mend Renovate](https://renovatebot.com)

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici
(source) [5.23.0 ->
5.26.2](https://renovatebot.com/diffs/npm/undici/5.23.0/5.26.2)
age](https://docs.renovatebot.com/merge-confidence/)
adoption](https://docs.renovatebot.com/merge-confidence/)
passing](https://docs.renovatebot.com/merge-confidence/)
confidence](https://docs.renovatebot.com/merge-confidence/)

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

louis-bompart referenced this pull request in coveo/cli

Jan 16, 2024

@renovate @developer-experience-bot

…#1402)

Mend Renovate](https://renovatebot.com)

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici
(source) [5.22.0 ->
5.26.2](https://renovatebot.com/diffs/npm/undici/5.22.0/5.26.2)
age](https://docs.renovatebot.com/merge-confidence/)
adoption](https://docs.renovatebot.com/merge-confidence/)
passing](https://docs.renovatebot.com/merge-confidence/)
confidence](https://docs.renovatebot.com/merge-confidence/)

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

@​ronag in https://github.com/nodejs/undici/pull/2121

New Contributors

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

v5.22.1

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.22.0...v5.22.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

Co-authored-by: developer-experience-bot[bot] <91079284+developer-experience-bot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

crysmags pushed a commit to crysmags/undici that referenced this pull request

Feb 27, 2024

@KhafraDev @crysmags

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})