ref: Use undici to download binary #2993
Merged
+62
−43
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JPeer264
force-pushed
the
jp/upgrade-node-fetch
branch
from
b341615 to
99bef89
Compare
JPeer264
added
the
v3.0
JPeer264
force-pushed
the
jp/upgrade-node-fetch
branch
from
15cb52d to
0c9cd59
Compare
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
Comment on lines
+278
to
283
| // Check if we have a total size to validate against | ||
| if (totalBytes > 0 && downloadedBytes < totalBytes) { | ||
| reject(new Error('connection interrupted')); | ||
| } else { | ||
| resolve(); | ||
| } |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
andreiborza
approved these changes
Dec 2, 2025
CHANGELOG.md
Outdated
|
|
||
| ### Internal changes | ||
|
|
||
| - Removed `node-fetch` dependency when using the NPM package ([#2993](https://github.com/getsentry/sentry-cli/pull/2993)) |
Member
There was a problem hiding this comment.
Suggested change
| - Removed `node-fetch` dependency when using the NPM package ([#2993](https://github.com/getsentry/sentry-cli/pull/2993)) | |
| - Removed `node-fetch` and `https-proxy-agent` dependencies when using the NPM package ([#2993](https://github.com/getsentry/sentry-cli/pull/2993)) |
CHANGELOG.md
Outdated
Comment on lines
61
to
63
| ### Internal changes | ||
|
|
||
| - Removed `node-fetch` dependency when using the NPM package ([#2993](https://github.com/getsentry/sentry-cli/pull/2993)) |
Member
There was a problem hiding this comment.
Since this is an internal change, we should not include it in the changelog imo.
Suggested change
| ### Internal changes | |
| - Removed `node-fetch` dependency when using the NPM package ([#2993](https://github.com/getsentry/sentry-cli/pull/2993)) |
I would also update the PR title from feat: to ref:, as it is not really a new feature from the user perspective. And, that way, the DangerJS action will not complain about a missing changelog entry, since changelog entries are not required for ref: PRs.
Member
Author
There was a problem hiding this comment.
I removed it and renamed the PR
JPeer264
changed the title
JPeer264
changed the title
Comment on lines
+277
to
284
| .on('finish', () => { | ||
| // Check if we have a total size to validate against | ||
| if (totalBytes > 0 && downloadedBytes < totalBytes) { | ||
| reject(new Error('connection interrupted')); | ||
| } else { | ||
| resolve(); | ||
| } | ||
| }); |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
from
f1119df to
36bbead
Compare
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
2 times, most recently
from
60bb5c0 to
c7f20b7
Compare
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
from
a69c17c to
fdc3cae
Compare
This was referenced Dec 10, 2025
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
from
fdc3cae to
bc0a8dc
Compare
szokeasaurusrex
approved these changes
Dec 10, 2025
Comment on lines
+277
to
283
| .on('finish', () => { | ||
| // Check if we have a total size to validate against | ||
| if (totalBytes > 0 && downloadedBytes < totalBytes) { | ||
| reject(new Error('connection interrupted')); | ||
| } else { | ||
| resolve(); | ||
| } |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
from
c7f20b7 to
d0453c4
Compare
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
from
bc0a8dc to
8d3aa8b
Compare
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
from
d0453c4 to
2c953fe
Compare
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
from
8d3aa8b to
d7fc80e
Compare
szokeasaurusrex
pushed a commit
that referenced
this pull request
Dec 11, 2025
This removes `node-fetch` entirely. We could have upgrade to `node-fetch@3`, but this one requires ESM-only, which we can't support (we still need CJS support for our `@sentry/*` bundler packages). With this PR we use now `undici` which also has a `ProxyAgent` included, so we got rid of `https-proxy-agent` as well. Closes #1810 Closes [CLI-25](https://linear.app/getsentry/issue/CLI-25/upgrade-to-node-fetch-v3-to-avoid-punycode-deprecation-warning)
szokeasaurusrex
pushed a commit
that referenced
this pull request
Dec 11, 2025
This removes `node-fetch` entirely. We could have upgrade to `node-fetch@3`, but this one requires ESM-only, which we can't support (we still need CJS support for our `@sentry/*` bundler packages). With this PR we use now `undici` which also has a `ProxyAgent` included, so we got rid of `https-proxy-agent` as well. Closes #1810 Closes [CLI-25](https://linear.app/getsentry/issue/CLI-25/upgrade-to-node-fetch-v3-to-avoid-punycode-deprecation-warning)
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
from
d7fc80e to
fbd68c2
Compare
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
from
2c953fe to
98e6185
Compare
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
from
98e6185 to
6b32ed2
Compare
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
from
fbd68c2 to
004923c
Compare
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
from
6b32ed2 to
3679dc2
Compare
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
2 times, most recently
from
5529ca5 to
7a09a4e
Compare
This removes `node-fetch` entirely. We could have upgrade to `node-fetch@3`, but this one requires ESM-only, which we can't support (we still need CJS support for our `@sentry/*` bundler packages). With this PR we use now `undici` which also has a `ProxyAgent` included, so we got rid of `https-proxy-agent` as well. Closes #1810 Closes [CLI-25](https://linear.app/getsentry/issue/CLI-25/upgrade-to-node-fetch-v3-to-avoid-punycode-deprecation-warning)
szokeasaurusrex
force-pushed
the
jp/move-to-native-typescript
branch
from
0f60c1c to
e06b170
Compare
szokeasaurusrex
force-pushed
the
jp/upgrade-node-fetch
branch
from
7a09a4e to
aa1e54c
Compare
| } else { | ||
| resolve(); | ||
| } | ||
| }); |
There was a problem hiding this comment.
Bug: Download integrity check unreliable with compressed responses
The connection interrupted check compares downloadedBytes against totalBytes to detect truncated downloads. However, with undici's transparent decompression, downloadedBytes counts decompressed bytes while totalBytes may still be the compressed content-length (undici preserves this header). If a connection interrupts mid-transfer but enough compressed data was already received to decompress to more bytes than the compressed size, the check downloadedBytes < totalBytes evaluates to false, causing the download to be incorrectly accepted as complete. The old code avoided this by setting compress: false and tracking compressed bytes. While checksum validation provides a safety net, users who set SENTRYCLI_SKIP_CHECKSUM_VALIDATION=1 lose protection against corrupted downloads in this scenario.
Additional Locations (1)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This removes
node-fetchentirely. We could have upgrade tonode-fetch@3, but this one requires ESM-only, which we can't support (we still need CJS support for our@sentry/*bundler packages).With this PR we use now
undiciwhich also has aProxyAgentincluded, so we got rid ofhttps-proxy-agentas well.Closes #1810
Closes CLI-25