fix(http): force identity encoding so compressed API responses parse#181
fix(http): force identity encoding so compressed API responses parse#181annextuckner wants to merge 3 commits into
Conversation
httpRequest from @socketsecurity/lib@6.0.6 advertises Accept-Encoding: gzip, br but never decompresses on its main response path, so a Content-Encoding: br reply (e.g. the Socket file-list endpoint) reaches .json()/.text() as raw compressed bytes and fails to parse. Add a socketHttpRequest wrapper that forces Accept-Encoding: identity and route every Socket-bound call site through it, so the server returns uncompressed bodies the lib reads correctly.
John-David Dalton (@jdalton) does this have a lint autofix available? |
socketHttpRequest sat between buildSocketHeaders and getApiKeyInteractively, tripping the sort-export gate. Move it after parseJsonObject so the export group stays alphanumeric.
The socket-registry install action raised its floor to >= 6.0.7. The catalog sat at 6.0.6 and the package.json self-alias still pinned 6.0.3, so install failed the floor check. Bump catalog + both direct pins to 6.0.7 and refresh the lockfile.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
John-David Dalton (jdalton)
force-pushed
the
main
branch
2 times, most recently
from
12bc2c7 to
7b90939
Compare
|
Thanks for the thorough diagnosis here — your root-cause analysis was spot on: We've resolved this at the source rather than via the Landed in Released in v0.0.18. Closing this out since the upstream fix supersedes the workaround. Appreciate the careful write-up and the wire-level verification — it made confirming the fix straightforward. |
3 participants
Problem
The
package_files/file-listtool fails on packages whose manifest comes back compressed:httpRequestfrom@socketsecurity/lib@6.0.6advertisesAccept-Encoding: gzip, bron every request, but its main response path (request-attempt.js, theres.on("end")handler) builds the response straight from the raw buffer and never decompresses —.json()/.text()justtoString("utf8")the still-compressed bytes. ThedecodeBodydecompressor exists only on the unusedreadIncomingResponsebypass.The Socket
file-listendpoint returnscontent-encoding: br, so the brotli stream reachesJSON.parseas raw bytes. Confirmed against the live endpoint: the8b 62 4a 44 54prefix of the response is exactly the�bJDTin the error, and brotli-decompressing it yields valid{"files":[...]}.Fix
Add a
socketHttpRequestwrapper inlib/http-helpers.tsthat forcesAccept-Encoding: identity, and route all seven Socket-boundhttpRequestcall sites through it (alerts, threat-feed, files, depscore, blob, both OAuth calls). The server then returns uncompressed bodies the lib reads correctly. The override is appended last so it wins the lib's header merge regardless of order.This is a workaround for the upstream lib defect; once
httpRequestdecompresses on its main path, the override can be dropped andgzip, brrestored for the bandwidth win.Verification
pnpm run test:tscclean; 67 tests pass across the touched modules.Accept-Encoding: identity→ nocontent-encoding, plain JSON, 1054 files parsed.onRequesthook confirms onlyAccept-Encoding: identityis sent, with no leftovergzip, brand no duplicate header key.