okta-sdk-nodejs icon indicating copy to clipboard operation
okta-sdk-nodejs copied to clipboard

Published 20 hours ago verified publisher icon okta

realFetch.call is not a function

Open theseyi opened this issue 4 years ago • 6 comments

Attempting to make a call using the SDK method oktaClient.getUser(user). Ran into the title issue, realFetch.call is not a function. Root seems to be in the latest version of isomorphic-fetch lib issue here via node-fetch see here

Can the version be pinned to a lower version since it does seem to be present in just the latest, as mentioned here

theseyi avatar Feb 24 '21 06:02 theseyi

Thanks for the investigation @theseyi.

It appears that [email protected] contains a vulnerability. We will consider switching to cross-fetch.

Internal Ref: OKTA-372920

oleksandrpravosudko-okta avatar Feb 24 '21 07:02 oleksandrpravosudko-okta

@theseyi are you able to share the details of SDK usage leading to this error? getUser(username) (SDK v4.4.0) seems to be returning w/o issues on minimal express server setup running on node (v12.18.4 and v14.15.0).

oleksandrpravosudko-okta avatar Feb 24 '21 09:02 oleksandrpravosudko-okta

Thanks for looking into this @oleksandrpravosudko-okta node v12.20.1 @okta/okta-sdk-nodejs v4.4.0

I was able to resolve this by setting my isomorphic-fetch version to 2.2.1 in my yarn workspace manifest

  "resolutions": {
    "isomorphic-fetch": "2.2.1"
  },

This resolves the issue in the interim, but as you mentioned with the vuln, it is less than ideal.

It is possible that this issue maybe due to incompatibility in that version of isomorphic-fetch and cross-fetch if it is also installed which can happen in a monorepo. I have @okta/okta-auth-js installed which has cross-fetch@^3.0.6 as a dependency. Might be helpful to keep the same fetch lib for both packages (@okta/okta-auth-js and @okta/okta-sdk-nodejs)?

theseyi avatar Feb 24 '21 15:02 theseyi

Thanks for the follow-up @theseyi.

It is somewhat puzzling that @okta-auth-js's [email protected] is causing such kind of interference as it depends on the same version of node-fetch(2.6.1) as [email protected].

Would you be able to check if temporary removal of @okta/okta-auth-js dependency and having latest isomorphic-fetch installed still triggers the error?

oleksandrpravosudko-okta avatar Feb 25 '21 10:02 oleksandrpravosudko-okta

Im also running into this issue @okta/[email protected] and [email protected]. Is there a lower version we can downgrade to temporarily?

mnguyen96 avatar Feb 25 '21 21:02 mnguyen96

Thanks for looking into this @oleksandrpravosudko-okta node v12.20.1 @okta/okta-sdk-nodejs v4.4.0

I was able to resolve this by setting my isomorphic-fetch version to 2.2.1 in my yarn workspace manifest

  "resolutions": {
    "isomorphic-fetch": "2.2.1"
  },

This resolves the issue in the interim, but as you mentioned with the vuln, it is less than ideal.

It is possible that this issue maybe due to incompatibility in that version of isomorphic-fetch and cross-fetch if it is also installed which can happen in a monorepo. I have @okta/okta-auth-js installed which has cross-fetch@^3.0.6 as a dependency. Might be helpful to keep the same fetch lib for both packages (@okta/okta-auth-js and @okta/okta-sdk-nodejs)?

@mnguyen96

theseyi avatar Mar 03 '21 14:03 theseyi