Fix fetch implementation (#1390)

* Enforce maxRedirects and maxContentLength on the no-axios fetch path

* Fix no-axios/minimal and browser builds to embed version via __PACKAGE_VERSION__

* Add shared HttpClient test suite covering axios and no-axios paths

* Migrate Horizon fetchTimebounds tests from axios-mock-adapter to MSW for cross-build coverage

Author: Ryang-21

CHANGELOG.md

@@ -26,6 +26,8 @@ A breaking change will get clearly marked in this log.
 * `AssembledTransaction.simulate` did not clear `this.built` before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
 * `AssembledTransaction.signAndSend` mutated the shared `this.options.submit` flag to prevent double submission. Replaced with a wrapper around `signTransaction` that injects `submit: false` without mutating shared state ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
 * Fetch HTTP client: async request interceptors were not awaited — the synchronous `try/catch` loop passed unresolved promise objects as the config. Replaced with a proper `.then()` chain matching Axios interceptor semantics ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
+* Fetch HTTP client: `maxRedirects` and `maxContentLength` were silently ignored on the no-axios / minimal builds, turning SDK-set SSRF and DoS guards (`StellarToml.Resolver.resolve`, `FederationServer`) into no-ops. A new bounded adapter activates when either option is set, refusing redirects past `maxRedirects` and streaming the response body with a running-total check so oversized responses abort mid-stream ([#1390](https://github.com/stellar/js-stellar-sdk/pull/1390)).
+* `src/bindings/config.ts` imported `../../package.json` with a relative path that resolved incorrectly for the `lib/no-axios/` and `lib/minimal/` build outputs, making those libs unloadable. Replaced with the `__PACKAGE_VERSION__` compile-time define ([#1390](https://github.com/stellar/js-stellar-sdk/pull/1390)).
 
 ### Added
 * `AccountResponse` constructor now uses explicit field-by-field assignment instead of `Object.entries` dynamic assignment for type safety ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
@@ -34,6 +36,8 @@ A breaking change will get clearly marked in this log.
 * `rpc.Server.getLatestLedger()` now includes `closeTime`, `headerXdr`, and `metadataXdr` in the typed response, with `headerXdr`/`metadataXdr` parsed into XDR objects instead of raw base64 strings ([#1389
 ](https://github.com/stellar/js-stellar-sdk/pull/1389)).
 
+
+
 ### Deprecated
 * `BalanceResponse.revocable` is deprecated in favor of `authorizedToMaintainLiabilities`, which correctly reflects the trustline flag semantics ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
 

config/tsconfig.json

@@ -12,4 +12,4 @@
     "target": "es6"
   },
   "include": ["../src"]
-}
+}

config/vitest.config.browser.ts

@@ -27,7 +27,10 @@ export default defineConfig({
     },
     // Run all unit tests in browser
     include: ["test/unit/**/*.test.ts"],
-    exclude: ["test/unit/call_builders.test.ts"],
+    exclude: [
+      "test/unit/call_builders.test.ts",
+      "test/unit/server/horizon/server.test.ts",
+    ],
     // Setup files to load the browser bundle
     setupFiles: [resolve(__dirname, "../test/setup-browser.ts")],
   },

config/vitest.config.no-axios.ts

@@ -0,0 +1,41 @@
+import { defineConfig } from "vitest/config";
+import { resolve } from "path";
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: "node",
+    coverage: {
+      provider: "v8",
+      reporter: ["text", "html", "lcov"],
+      // This config runs tests against lib/no-axios (USE_AXIOS=false routes
+      // the test harness there). Scope coverage to that build so the report
+      // reflects what's actually under test; the default axios build is
+      // covered by vitest.config.ts.
+      include: ["lib/no-axios/**/*.js"],
+      exclude: [
+        "test/**",
+        "dist/**",
+        "coverage/**",
+        "**/*.d.ts",
+        "lib/**/*.d.ts",
+        "**/*/browser.js",
+      ],
+    },
+    testTimeout: 20000,
+    include: ["test/unit/**/*.test.ts"],
+    exclude: ["**/browser.test.ts"],
+  },
+  resolve: {
+    alias: {
+      "@": resolve(__dirname, "../src"),
+    },
+    extensions: [".ts", ".tsx", ".js", ".jsx", ".json"],
+  },
+
+  define: {
+    __USE_AXIOS__: false,
+    __USE_EVENTSOURCE__: true,
+    __PACKAGE_VERSION__: JSON.stringify(process.env.npm_package_version),
+  },
+});

config/webpack.config.browser.js

@@ -104,7 +104,7 @@ const config = {
     new webpack.DefinePlugin({
       __USE_AXIOS__: JSON.stringify(buildConfig.useAxios),
       __USE_EVENTSOURCE__: JSON.stringify(buildConfig.useEventSource),
-      __PACKAGE_VERSION__: version,
+      __PACKAGE_VERSION__: JSON.stringify(version),
     })
   ],
   watchOptions: {

eslint.config.js

@@ -34,6 +34,10 @@ const typescriptConfig = [
     files: ["**/*.ts", "**/*.tsx"],
     rules: {
       "@typescript-eslint/require-await": "error",
+      "@typescript-eslint/no-unused-vars": [
+        "error",
+        { argsIgnorePattern: "^_", varsIgnorePattern: "^_" },
+      ],
       "no-fallthrough": "off",
     },
   },

package.json

@@ -100,10 +100,11 @@
     "build:docs": "cross-env NODE_ENV=docs yarn _babel",
     "clean": "rm -rf lib/ dist/ coverage/ .nyc_output/ jsdoc/ test/e2e/.soroban",
     "docs": "yarn build:docs && jsdoc -c ./config/.jsdoc.json",
-    "test": "yarn test:node && yarn test:integration && yarn test:browser",
-    "test:all": "yarn test:node && yarn test:integration && yarn test:browser && yarn test:e2e",
+    "test": "yarn test:node && yarn test:node:no-axios && yarn test:integration && yarn test:browser",
+    "test:all": "yarn test:node && yarn test:node:no-axios && yarn test:integration && yarn test:browser && yarn test:e2e",
     "test:e2e": "./test/e2e/initialize.sh && vitest run --config config/vitest.config.e2e.ts --coverage",
     "test:node": "vitest run test/unit --config config/vitest.config.ts --coverage",
+    "test:node:no-axios": "cross-env USE_AXIOS=false vitest run test/unit --config config/vitest.config.no-axios.ts",
     "test:e2e:noeval": "NODE_OPTIONS=--disallow-code-generation-from-strings yarn test:e2e",
     "test:integration": "vitest run test/integration --config config/vitest.config.ts --coverage",
     "test:browser": "yarn build:browser && vitest run --config config/vitest.config.browser.ts test/unit --coverage",
@@ -161,7 +162,6 @@
     "@vitest/coverage-istanbul": "4.1.2",
     "@vitest/coverage-v8": "^4.1.2",
     "@vitest/ui": "^4.1.2",
-    "axios-mock-adapter": "^1.22.0",
     "babel-loader": "^9.1.3",
     "babel-plugin-istanbul": "^7.0.1",
     "babel-plugin-transform-define": "^2.1.4",
@@ -183,6 +183,7 @@
     "jsdom": "^27.0.0",
     "lint-staged": "^15.5.1",
     "lodash": "^4.17.21",
+    "msw": "^2.13.4",
     "node-polyfill-webpack-plugin": "^3.0.0",
     "null-loader": "^4.0.1",
     "nyc": "^17.0.0",

src/bindings/config.ts

@@ -1,4 +1,10 @@
-import packageJson from "../../package.json";
+// The SDK version is baked in at build time via babel-plugin-transform-define.
+// Previously this was `import packageJson from "../../package.json"`, which
+// failed at runtime in deeper build outputs (lib/no-axios, lib/minimal) because
+// the relative path `../../package.json` resolved into the output tree rather
+// than the project root.
+// eslint-disable-next-line @typescript-eslint/naming-convention
+declare const __PACKAGE_VERSION__: string;
 
 export interface ConfigGenerateOptions {
   contractName: string;
@@ -45,7 +51,7 @@ export class ConfigGenerator {
         build: "tsc",
       },
       dependencies: {
-        "@stellar/stellar-sdk": `^${packageJson.version}`,
+        "@stellar/stellar-sdk": `^${__PACKAGE_VERSION__}`,
         buffer: "6.0.3",
       },
       devDependencies: {