Skip to content

Fetch implementation with cross-platform support #1457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: next
Choose a base branch
from
Open

Fetch implementation with cross-platform support #1457

wants to merge 3 commits into from

Conversation

nasatome
Copy link

What kind of change does this PR introduce?

Feature - Major modernization of the fetch implementation with cross-platform support and security enhancements

What is the current behavior?

  • Uses deprecated @supabase/node-fetch (last updated 2023)
  • Limited platform support and compatibility issues
  • Potential security vulnerabilities in header handling
  • Bundle contamination in browser environments
  • Complex async initialization patterns

What is the new behavior?

🚀 fetch.ts - Modern Cross-Platform Fetch Implementation

  • Replaces deprecated @supabase/node-fetch with node-fetch-native for broader platform support
  • Priority system: Custom fetch → Native fetch (Node 18+, Deno, browsers) → Polyfill (Node 14-17)
  • Security-hardened against header injection attacks with case-insensitive deduplication
  • Bundle protection with ultra-dynamic imports to prevent browser bundle contamination
  • Streaming support preserving non-enumerable RequestInit properties
  • Worker compatibility for all worker environments (Dedicated, Shared, Service, Edge)

🔒 Security Enhancements

  • Prevents authentication bypass via Request object header hiding
  • Case-insensitive header normalization for security headers only
  • Manual Headers copying to prevent Undici/WHATWG prototype mixing crashes
  • Ghost duplicate header prevention (e.g., apikey + ApiKey + APIKEY)

🏗️ SupabaseClient.ts - Seamless Integration

  • Sync-compatible wrapper around async fetchWithAuth for backward compatibility
  • Lazy initialization pattern for optimal performance
  • Custom fetch support via global.fetch option (matches official documentation)
  • Maintains all existing APIs while using modernized fetch under the hood

fetch-modernization.test.ts - Comprehensive Testing

  • 100% compatibility testing for custom fetch scenarios
  • Cross-platform environment detection tests
  • Security vulnerability prevention verification
  • Backward compatibility assurance for existing integrations
  • Header merging safety tests across different runtime implementations

📦 Bundle & Performance Optimizations

  • Zero bundle inflation in browser environments
  • Minimal webpack warnings (only intentional dynamic import protection)
  • Platform detection avoids unnecessary polyfill loading

🌐 Platform Support Matrix

  • Node.js 14-22 (native fetch 18+ or polyfill fallback) [test on node 20+]
  • Deno 1.x (native fetch) [this has yet to be tested]
  • Bun (native fetch) [this has yet to be tested]
  • All browsers (native fetch) [ Chrome and Firefox Tested, not Safari]
  • All worker environments (Dedicated, Shared, Service, Edge) [this has yet to be tested]
  • React Native, Cloudflare Workers (custom fetch support) [this has yet to be tested]

Additional context

  • Maintains 100% backward compatibility - no breaking changes to existing APIs
  • Tested locally, with my own project and it works, community is requested to test in their own environments (tested using my own build, “@supabase/supabase-js”: “file:/prj/open-source/supabase-js-nasatome”).
  • I did it because it was giving me errors with my webpack bundle, and I needed it to work asap, if it doesn't merge, I hope you take into account some of the points I mentioned.

nasatome added 3 commits June 10, 2025 17:46
@nasatome
refactor: enhance fetch implementation and error handling in Supabase…
fcbd92f 
…Client

- Introduced lazy initialization for `fetch` and `rest` properties to improve performance and avoid circular dependencies
- Added synchronous fetch wrapper (`_createSyncFetchWrapper`) to handle async initialization internally, ensuring compatibility across platforms
- Enhanced error handling for access token retrieval and session management with appropriate logging and graceful fallbacks
- Updated fetch implementation in `lib/fetch.ts` with modernized cross-platform approach (Node.js 14-22, Deno, Bun, browsers, workers)
- Replaced deprecated @supabase/node-fetch with node-fetch-native for broader platform support
- Implemented unified header merging functions (`mergeHeadersSecurely`, `extractAndMergeHeaders`) to prevent injection attacks and ensure HTTP/2 compliance
- Added bundle contamination prevention with ultra-dynamic imports and webpackIgnore comments
@nasatome
test: add comprehensive test suite for modernized fetch implementation
2623b5b 
- Introduced a new test file to validate the functionality of the modernized fetch system.
- Implemented tests for custom fetch handling, environment compatibility, error handling, and integration with SupabaseClient.
- Ensured backward compatibility and type safety for fetch-related functions.
- Included tests for security header handling, undefined value filtering, and cross-runtime compatibility.
- Addressed specific issues with header merging and TypeError prevention in mixed environments.
@nasatome
build: replace deprecated @supabase/node-fetch with node-fetch-native
ee6c27d 
- Updated package.json to remove @supabase/node-fetch and add node-fetch-native as a dependency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nasatome