feat(utils): always announce as Convert SDK via ConvertAgent User-Agent#387
Merged
Merged
Conversation
Set the User-Agent header to ConvertAgent/1.0 on every outbound HTTP request from HttpClient when running server-side. Browser path stays untouched (browsers strip User-Agent per the W3C forbidden-header list, and the browser's natural UA does not trigger isbot anyway). Two branches updated: - fetch path (server-with-fetch + browser): conditional on runtimeResult.runtime !== 'browser' - old-nodejs path: unconditional (always server-side) Why this matters: ApiManager's _trackingSource (network.source on the wire) is customer-configurable and could be overridden via SDK config, or via a CI VERSION-stamping pattern. Either could silently break the metrics-endpoint's source-field bypass. The UA is now an SDK invariant: applied at the lowest HTTP transport layer, after any caller-provided headers, so neither config nor higher-layer headers can override it. Matches the metrics-endpoint's isConvertAgentUA bypass that has been in place since 2026-05-20. Source-field bypass at the metrics endpoint stays in place as legacy fallback for already-deployed SDK versions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the HttpClient to include a custom User-Agent header (ConvertAgent/1.0) for server-side requests to ensure traffic is correctly identified by bot filters. This change is implemented in both the fetch and Node.js request paths. The review feedback highlights that the current implementation mutates the headers object directly, which can cause side effects if the caller reuses the configuration object. It is recommended to use object spread to create a shallow copy of the headers instead.
Replaces the two hard-coded 'ConvertAgent/1.0' literals in the http-client with a single named const declared near the imports, so the value is named once and the two injection sites reference it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
JosephSamirL
approved these changes
May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
User-Agent: ConvertAgent/1.0on every outbound HTTP request fromHttpClientwhen running server-side.fetch(gated onruntimeResult.runtime !== 'browser') andold-nodejs(unconditional, always server-side).Why now
The May 19 metrics-endpoint isbot regression exposed that
ApiManager's_trackingSource(network.sourceon the wire) is customer-configurable. Combined with the CI source-stamping pattern (rollup writesjs<version>at build time), the wire-side source value is in two ways out of our control — customer config and CI environment. Either could silently break the metrics-endpoint's source-field bypass and re-create the May 19 outage shape.Baking the UA at the lowest transport layer (
HttpClient.request()inpackages/utils/src/http-client.ts) makes the announcement an SDK invariant — not config-driven, not env-driven, not customer-overridable. Metrics-endpoint code stays untouched (theisConvertAgentUAbypass has been in place since 2026-05-20 17:06 UTC).What stays in place
The source-field bypass at the metrics endpoint remains as legacy fallback for already-deployed SDK versions. Customers on older SDKs continue to work via the
/^js\d+\.\d+\.\d+/regex path.Test plan
packages/utilsto verifyUser-Agent: ConvertAgent/1.0is present onHttpClient.request()outputs whendetermineRuntime()returnsserver-with-fetchorold-nodejs, and absent (or rather, left to whatever caller set) whenbrowserbotCheckSkippedevents fire with the ConvertAgent UA bypass path🤖 Generated with Claude Code