Pin managed fetch dispatcher#5
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Pins the managed globalThis.fetch patch to Proxyline's own dispatcher by explicitly setting (rather than stripping) the dispatcher init field, so that a later setGlobalDispatcher() cannot bypass managed proxy routing. Also preserves Undici's primitive-init rejection behavior and updates docs/changelog to clarify global fetch coverage vs. imported Undici APIs.
Changes:
- Replaced
stripFetchDispatcherwithwithManagedFetchDispatcher, which validates primitive init values and pins Proxyline's active managed dispatcher into the init. - Added tests covering invalid primitive init rejection and proxy routing surviving a
setGlobalDispatcher()replacement in managed mode. - Updated README, surfaces.md, security.md, and CHANGELOG to describe the pinned-dispatcher behavior.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/runtime.ts | Refactor fetch init handling to pin managed dispatcher and validate primitive init. |
| test/package.test.ts | New test verifying primitive init values are rejected with a TypeError. |
| test/e2e.test.ts | New e2e test confirming managed routing survives setGlobalDispatcher. |
| README.md | Clarify global fetch vs. Undici global dispatcher coverage. |
| docs/surfaces.md | Update managed fetch description to reflect pinned dispatcher. |
| docs/security.md | Update out-of-scope and threat table entries for pinned dispatcher. |
| docs/README.md | Mirror README clarification on fetch coverage. |
| CHANGELOG.md | Add 0.3.3 entry for the fix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Thanks @jesse-merhi. This landed in 5d3dc51, with follow-up changelog credit in b7f22d5 because the PR branch could not be updated from this checkout. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
globalThis.fetchcalls to the active Proxyline dispatcher so latersetGlobalDispatcher()calls cannot bypass managed proxy routing.fetchinit rejection behavior while overriding explicit dispatcher options in managed mode.Verification
git diff --checkfnm exec --using v22.21.0 pnpm check$code-reviewclean: Codex review clean plus cold/manual pass with no remaining actionable findings.