Proposal to swap deprecated request for node-fetch #754
Comments
|
This approach is going to introduce breaking changes for consumers of this client library (there were 151k downloads last week alone). We need to have a more careful plan for how we roll out this change. I would like to support existing users for at least a few versions (perhaps 3?) while we make this transition. Perhaps the right way to do this is to introduce a new major version to signify the new generator? e.g.
This will require introducing a new branch for the Please note that this is going to be a big change that will touch nearly the entire library, I think |
|
That phasing plan makes sense to me. It's in-line with the npm semantic versioning. It might make sense to deprecate the 0.x releases with a warning telling them that support for the old client api will no longer be supported after a certain version and encouraging them to upgrade. That should alert existing users of the changes. I'm prepared to take on the responsibility associated with this upgrade. |
|
Is using both generators and fetch/request in parallel not an option during the transition? I haven't thought through all implications or the workload of doing that, just thinking out loud, but it would be nice if you could do something like |
|
I agree it would be nice if we could keep the user experience that cohesive, but unfortunately these changes seem too broad and breaking for that to be doable. Given the extent of the proposed changes, it could introduce significant overhead and complexity to have two major versions bundled in a single release. I've taken a shot at incrementing
Another predictable area of major changes is the error interfaces since we are changing the network library, and the proposal includes incrementing typescript by a major version. This may be a config option that I've inadvertently changed, but IMO it does come across cleaner. This could be a concern if we had I'll keep checking it out. There could be an easier way tweaking the generator options that I'm not familiar with. |
|
One other option would be to package the old generated code and the new generated code into different directories and effectively have:
or
e.g. keep everything in one place from a release perspective, but introduce a fork in the imports that you can use. |
|
That could definitely work if we introduce a named export for Another possibility would be to have
or
to retain existing import compatibility for
|
|
I think there are different kinds of breaking changes. I feel like changing an import statement is a much lower cost breaking change vs changing the entire API surface area. So I would be ok to require
or
And I think that is feasible... |
|
I don't think putting both the new api and old api in the same package / directory makes sense to me. The fact that it's a breaking change between them means that someone can't just swap out API's when making the change. // switching from this
import { api_new as api } from @kubernetes/node-client
// to this would still require code changes in lots of places where the api is used
import { api_old as api } from @kubernetes/node-clientSomeone migrating to the new api would have to change every single node-client import statement in their repo which would be time consuming and tedious. It's simpler from a user-standpoint to simply upgrade their version then fix any errors in the code. By having both the old and new api in the same package we also wouldn't be able to take advantage of a npm deprecation warning which would help warn users of the upcoming drop of support for the old api. Users wouldn't be upgraded to the breaking api without doing it manually (or changing their From a user-standpoint I don't think it's easier to change the import and I believe one of our goals should be gently pushing consumers to migrate when they get the chance (or at least be aware of upcoming drops in support). From our standpoint it's more difficult to work with a directory layout that has two apis rather than just different branches. Storing the new and old api in the in the same package would make more sense to me if there was some reason why a user would want to use both the old and new api but I can't think of one. |
|
The major version suggestion seems be the cleanest way. Putting the changes in a new major version would make upgrading a clear decision without interfering with existing code. That way we don't mix code from two generators in a single package. |
|
Completely supporting the major version upgrade. Our team doesn't mind spending some time adjusting code to the new API, as long as we can stop using deprecated or regularly vulnerable packages! 😄 |
|
Ok, sounds like the consensus is for a major version upgrade. I have created a We can start sending PRs to the |
|
We should also probably turn this discussion into a markdown document that describes our approach and links off of the main README.md |
|
Quick update: @davidgamero and I have been working on this for the last two weeks. We're having to make some changes to open-api generator to support the way we need to do auth. @davidgamero has been working on identifying the exact improvements necessary. |
|
Update 2: Two PRs have been completed against OpenAPITools/openapi-generator (the typescript generator template in specific), and a third is in progress. Complete (PR)
In Progress (Issue) [REQ][typescript] Enable passing custom SecurityAuthentication to API With this last PR, the ability to pass certificates to the |
|
Update 3: Custom Authentication is now complete in the typescript generator. Currently migrating the |
|
fetch
https://nodejs.org/en/blog/release/v17.5.0/
node 17's fetch is using undici |
Hopefully the TypeScript generator swaps over to this way. |
|
This will be great! It should be simpler to switch from node-fetch to the included fetch in the future (since their syntax is very similar) |
|
Hello, If I understand correctly - Here: Line 62 in b4ccd6e The latest status is: Is this something I can help with? Is there a branch with source I can help to get compiling, I'm happy to try to help. Thanks, Chad |
|
Hi @chadbr , the current working branch is https://github.com/kubernetes-client/javascript/tree/release-1.x and the next step is migrating all the auth providers and their unit tests. It's mostly mapping headers and query params to use the new Any help migrating those would be very appreciated! I'm finishing up the |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
@pauliusg Problem with I worked around that like this: const patchconf = client => createConfiguration({
promiseMiddleware: [
{
pre: async (context) => {
context.setHeaderParam('Content-type', k8s.PatchUtils.PATCH_FORMAT_JSON_PATCH);
return context;
},
post: async (context) => {
return context;
},
},
],
baseServer: client.api.configuration.baseServer,
});The problem here is that when this error is resolved, the media type error returns. Turns out that problem is caused by a bug in the generated code that can't be worked around. In the action method it attempts to automate the request content-type selection: // Body Params
const contentType = ObjectSerializer_1.ObjectSerializer.getPreferredMediaType([
"application/json-patch+json",
"application/merge-patch+json",
"application/strategic-merge-patch+json",
"application/apply-patch+yaml"
]);That function looks like this: const supportedMediaTypes = {
"application/json": Infinity,
"application/octet-stream": 0,
"application/x-www-form-urlencoded": 0
};
...
static getPreferredMediaType(mediaTypes) {
/** According to OAS 3 we should default to json */
if (mediaTypes.length === 0) {
return "application/json";
}
const normalMediaTypes = mediaTypes.map(this.normalizeMediaType);
let selectedMediaType = undefined;
let selectedRank = -Infinity;
for (const mediaType of normalMediaTypes) {
if (supportedMediaTypes[mediaType] > selectedRank) {
selectedMediaType = mediaType;
selectedRank = supportedMediaTypes[mediaType];
}
}
if (selectedMediaType === undefined) {
throw new Error("None of the given media types are supported: " + mediaTypes.join(", "));
}
return selectedMediaType;
}I think it should be obvious why this is doomed to permanently fail... I've spent half the day working on getting a local dev setup to iterate on a potential fix, but haven't yet succeeded. Until then, I've told my security people that the package update date is unfortunately indeterminate. |
|
@joshperry if the bug is indeed in the generated code, the code generator is here: They're usually pretty good about merging fixes, and then we can regenerate. |
|
which media type are you missing? it's possible we just need to bump the gen hash to include OpenAPITools/openapi-generator#16386 |
|
@davidgamero The problem is that the @brendandburns Yeah, I got the three projects cloned, just struggling to weave them together so I can generate locally. Looks like the ETA: I see, I can set |
|
Looks like this issue was already fixed and merged upstream, just waiting for a new release: OpenAPITools/openapi-generator#16386 I guess the only other issue (for Sorry @davidgamero, I totally missed your link. |
|
@joshperry do you mean waiting for a release from openapi-generator or this project? |
|
i completely agree that the ergonomics of the custom header are cumbersome for this use case, and providing a way to merge new options into the config would make this much easier |
|
I was able to verify that regenerating this project with the latest tag of the openapi-generator project (v7.0.1) solves this issue (in conjunction with the middleware workaround). If you want to try, I published a version with js built to my fork, just |
|
the middleware workaround seems reasonable while we develop a cleaner long-term solution, so im in favor of a new rc with that code included. just made a pr for the changes @joshperry |
|
Bumping up the priority on this item, since the deprecated |
|
Any update on this? Very interested in closing out the CVE referenced above |
|
@kberkos-public @efenner-cambia there is a pre-release of the library based on fetch that you can start consuming: Note that the API has changed somewhat, so it is not a drop-in replacement. |
|
Thank you so much @brendandburns ! |
|
I can see there's a later pre-release library https://www.npmjs.com/package/@kubernetes/client-node/v/1.0.0-rc4?activeTab=versions made available on 2023-12-23. @brendandburns do you know when v1.0.0 is going to be released and in which kubernetes version it will be included, to remediate CVE-2023-28155? PSIRTRef_fup_3P_kubernetes PVR0429050 |
|
@brendandburns any update on this? |
|
This client is not released as part of the Kubernetes release. There is no current eta for a non RC 1.0.0 release, we need more mileage and reports from people that they have migrated successfully to have confidence in the release. |
|
@brendandburns can you confirm that when kuberenetes/client-node/v/1.0.0 is available as well as remediating CVE-2023-28155, it will also remediate CVE-2023-26136; where it seems the required upgrade to PSIRTRef_fup_3P_kubernetes PVR0452658 |
|
I forgot to report that I migrated a private repository to rc2 with no issues. I didn’t realize that there was an rc3; I’ll add that to my todo list. |
|
@briandealwis There is even an rc4 by now: https://www.npmjs.com/package/@kubernetes/client-node/v/1.0.0-rc4 |
|
Migrated 14 microservices to rc4 with no issues other than one TS type that needed to change (we had cast the watch result |
|
The latest pre-release library https://www.npmjs.com/package/@kubernetes/client-node/v/1.0.0-rc4?activeTab=versions remains rc4 made available on 2023-12-23, which appears to be receiving positive feedback for migrating microservices. Is there any further thought when v1.0.0 maybe released and in which kubernetes version it will be included? I believe this is blocking the remediation of CVE-2023-28155 as well as CVE-2023-26136, where it seems the required upgrade to tough-cookie-4.1.3 is dependent on the replacement of the request package. PSIRTRef_fup_3P_kubernetes PVR0429050 PVR0452658 PVR0473928 PVR0473931 |
|
I wouldn't say that rc4 feedback is positive. Yes, code works properly but it is a pain to use middleware. For example when you need to add a header when patching pod: I think you agree that we need quite much code to patch a pod, it should be simpler... |
|
I'm not sure where the best place to return feedback on RC4 is, but I'll assume from the thread maybe here. The errors being returned appear to have a body of a string or undefined, and not an object as they were in 0.2.0: |
and others
Proposal to swap deprecated request for node-fetch
Request is fully deprecated requiring us to switch libraries (see #414 for more information).
@brendanburns outlined some of the clear options forward. This change should ideally be a long-term solution leaving us with the option of either modifying the node-typescript open-api-generator to use a different request library or migrate to one of the other generator options.
Modifying an outdated node-typescript library does not seem like the right path forward. It would require us to still use a new library which would likely change the api and still be a breaking change. We might as well migrate to a newer version of openapi-generator while we do that and acquire the advantages of a more up-to-date version.
Choosing a new library
@d-cs posted a nice summary of the different choices. We narrowed it down to Axios or Fetch. The other libraries didn't match how widely adopted and focused these libraries are.
Fetch is simply the standard JavaScript as a whole is moving to, which brings more longterm support aligning us better with our goal of migrating to a long-term solution. node-fetch has significantly more weekly downloads than axios. The package size of node-fetch is also noticeably smaller than axios.
Additionally, future improvements could likely be done to allow us to also support the browser #165 since Fetch is native to the browser.
Node-fetch
Fetch is a native browser API that is not implemented in Node.js by default. Node-fetch is the natural choice for the Node implementation because it is the most widely adopted.
The openapi-generator uses the browser implementation of Fetch so we must substitute node-fetch in manually.
Implementation steps
@davidgamero and I will work to implement the following changes.
Other repositories
typescriptThreePlusconfig option 1 2Kubernetes-client repository
OPENAPI_GENERATOR_COMMITto be version 5.3.0npm install node-fetchto install node-fetchsrc/api.tswith the followingnpm run generateThe text was updated successfully, but these errors were encountered: