fix: patch gaxios v7 Array.toString() stream corruption#21884
fix: patch gaxios v7 Array.toString() stream corruption#21884gsquared94 merged 2 commits intogoogle-gemini:mainfrom
Conversation
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
3b5f60c to
557fa64
Compare
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
557fa64 to
81479fd
Compare
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request resolves a critical data corruption issue stemming from a bug in Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a postinstall script to patch a stream corruption bug in the gaxios v7 dependency, which is a clever workaround for an upstream issue. The change to simplify the TerminalQuotaError message is also a good defensive measure. While the patch script's reliance on hardcoded paths is noted, for a developer-facing script in a trusted environment, this approach can be acceptable. I've left a comment with suggestions for potential future improvements to make it more robust and maintainable if needed.
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix pins: - @google/genai to 1.30.0 (direct deps + npm override) - google-auth-library to ^9.15.1 (direct dep + npm override) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
81479fd to
42b6909
Compare
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
2 times, most recently
from
6f5e1ce to
70c82b4
Compare
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
70c82b4 to
19d08bf
Compare
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
19d08bf to
5bfb366
Compare
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
5bfb366 to
e9fda9b
Compare
scripts/check-lockfile.js
Outdated
| const gaxiosViolations = []; | ||
| for (const [location, details] of Object.entries(packages)) { | ||
| if ( | ||
| location.match(/^packages\/[^/]+\/node_modules\/gaxios$/) && |
There was a problem hiding this comment.
Got this feedback which seems valid:
There is a slight flaw in the regex used for your preventative lockfile check in scripts/check-lockfile.js:
1 // Current PR code:
2 location.match(/^packages/[^/]+/node_modules/gaxios$/)
The problem: In an npm workspaces environment, gaxios might get hoisted to the root node_modules instead of being nested inside
packages//node_modules. If another dependency update triggers npm to hoist gaxios v7 to the root, its location string in
package-lock.json will simply be "node_modules/gaxios", and your regex will not match it, allowing the bug to slip through CI.
The fix: Update the regex to catch gaxios regardless of whether it is hoisted to the root or nested in a workspace:
1 // Proposed fix:
2 location.match(/(^|/)node_modules/gaxios$/)
sehoon38
left a comment
sehoon38
left a comment
There was a problem hiding this comment.
approved after addressing the comments
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
e9fda9b to
efc678a
Compare
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
efc678a to
68bdf4b
Compare
…eam corruption google-auth-library v10+ depends on gaxios v7.1.3 which has a bug: its _request() method reads stream error bodies using Array.toString(), which joins Buffer chunks with commas — corrupting JSON error responses at TCP chunk boundaries. This causes TerminalQuotaError to be misclassified due to corrupted @type fields in error details. This fix reverts the dependency bumps from google-gemini#18880: - @google/genai: 1.41.0 → 1.30.0 (packages/core, packages/cli, packages/a2a-server) - google-auth-library: ^10.5.0 → ^9.11.0 (packages/core) google-auth-library v9.x uses gaxios v6.x which correctly concatenates chunks via string addition (response += chunk). DO NOT upgrade these packages until the gaxios v7 bug is fixed upstream. See: google-gemini#21884
gsquared94
force-pushed
the
fix/gaxios-stream-corruption
branch
from
68bdf4b to
426549c
Compare
|
/patch preview |
|
🚀 [Step 1/4] Patch workflow(s) waiting for approval! 📋 Details:
⏳ Status: The patch creation workflow has been triggered and is waiting for deployment approval. Please visit the specific workflow links below and approve the runs. 🔗 Track Progress: |
# Conflicts: # package-lock.json # packages/core/package.json
|
🚀 [Step 2/4] Patch PR Created! 📋 Patch Details:
📝 Next Steps:
🔗 Track Progress: |
|
/patch preview |
|
🚀 [Step 1/4] Patch workflow(s) waiting for approval! 📋 Details:
⏳ Status: The patch creation workflow has been triggered and is waiting for deployment approval. Please visit the specific workflow links below and approve the runs. 🔗 Track Progress: |
|
ℹ️ [Step 2/4] Patch branch exists but no PR found! A patch branch 🔍 Issue: This might indicate an incomplete patch process. 📝 Next Steps:
🔗 Links: |
|
/patch preview |
|
🚀 [Step 1/4] Patch workflow(s) waiting for approval! 📋 Details:
⏳ Status: The patch creation workflow has been triggered and is waiting for deployment approval. Please visit the specific workflow links below and approve the runs. 🔗 Track Progress: |
# Conflicts: # package-lock.json # packages/core/package.json
|
🚀 [Step 2/4] Patch PR Created! 📋 Patch Details:
📝 Next Steps:
🔗 Track Progress: |
|
🚀 [Step 3/4] Patch Release Waiting for Approval! 📋 Release Details:
⏳ Status: The patch release has been triggered and is waiting for deployment approval. Please visit the specific workflow run link below and approve the deployment. You'll receive another update when it completes. 🔗 Track Progress: |
|
✅ [Step 4/4] Patch Release Complete! 📦 Release Details:
🎉 Status: Your patch has been successfully released and published to npm! 📝 What's Available:
🔗 Links: |
5 participants
Root Cause
google-auth-libraryv10+ depends ongaxiosv7.1.3 which has a bug in its_requestmethod:Array.toString()joins Buffer elements with commas, injecting stray commas at TCP chunk boundaries. This corrupts error response JSON — e.g.type.googleapis.com/google.rpc.ErrorInfobecomestype.googleapis.com/google,.rpc.ErrorInfo— causingTerminalQuotaErrorto be misclassified.This was introduced when
google-auth-librarywas upgraded from v9 to v10 and@google/genaifrom 1.30.0 to 1.41.0 inc3b52b82(#18880).google-auth-libraryv9.x usesgaxiosv6.x which correctly concatenates chunks via string addition (response += chunk).Fix
Pins both packages to their pre-#18880 versions via npm overrides + direct dependency specs:
@google/genai: pinned to1.30.0(all workspace packages + override)google-auth-library: pinned to^9.15.1(direct dep + override)Changed files
package.json— added npm overrides for both packagespackages/core/package.json— reverted both depspackages/cli/package.json— reverted@google/genaipackages/a2a-server/package.json— pinned@google/genai(removed caret)package-lock.json— updated resolution