Fix fetch implementation

[Ryang-21]

Why

• feaxios ignores maxRedirects and maxContentLength, silently turning SDK-set SSRF and DoS guards into no-ops.

What

• Enforce maxRedirects and maxContentLength on the no-axios fetch path. Uses redirect: "manual" with hop-counting, and streams response.body.getReader() with a running-total check so oversized responses abort mid-stream instead of buffering.
• Preserve axios parity on .response.{status, data, ...}, validateStatus, paramsSerializer, withCredentials, body encoding, and cancel-reason propagation.
• Fix deeper-build lib loading. src/bindings/config.ts imported ../../package.json, which resolved wrong from lib/no-axios/. Swapped to the existing PACKAGE_VERSION define. Also stringified version in webpack.config.browser.js's DefinePlugin, which was embedding 15.0.1 as invalid code into the browser bundle.
• Add no-axios test config (config/vitest.config.no-axios.ts) + USE_AXIOS=false routing in the test harness so the suite runs against lib/no-axios/. New test:node:no-axios script.
• Add shared HttpClient contract spec (test/unit/http_client_contract.test.ts, 33 tests): request methods, headers/params shaping, response parsing, non-2xx error shape,
  timeout, cancellation, bounded-path redirect/size enforcement, validateStatus, fetchOptions override-resistance, interceptors, and create() defaults. Runs against both builds.

[Copilot]

Pull request overview

This PR fixes behavioral gaps between the axios-based and fetch-based (feaxios) HTTP client implementations, specifically restoring enforcement of SSRF/DoS guardrails (maxRedirects, maxContentLength) on the no-axios path and adding a cross-build contract test suite to prevent regressions.

Changes:

• Add a bounded fetch adapter that enforces maxRedirects (manual hop counting) and maxContentLength (streamed read with early abort), plus cancellation tagging for isCancel.
• Replace runtime package.json import with the build-time __PACKAGE_VERSION__ define and fix browser DefinePlugin version injection.
• Add a no-axios Vitest config + test harness routing (USE_AXIOS=false) and introduce an HttpClient contract test suite run against both builds.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
test/unit/http_client_contract.test.ts	New Node-only contract tests covering request/response shaping, errors, cancellation, redirect/size bounds, and interceptors.
test/tsconfig.json	Loosens TS strictness for tests and normalizes include/exclude formatting.
test/test-utils/stellar-sdk-import.ts	Routes Node tests to lib/no-axios when USE_AXIOS=false so tests exercise the fetch build output.
src/http-client/fetch-client.ts	Implements bounded fetch path for redirect/content-length enforcement and improves cancellation identification.
src/bindings/config.ts	Uses __PACKAGE_VERSION__ instead of importing package.json to support deeper build outputs.
package.json	Adds test:node:no-axios and runs it as part of test/test:all.
config/webpack.config.browser.js	Fixes __PACKAGE_VERSION__ injection by stringifying the version in DefinePlugin.
config/vitest.config.no-axios.ts	Adds a dedicated Vitest config for running unit tests against the no-axios build.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Size Change: +397 kB (+0.87%)

Total Size: 46.1 MB

📦 View Changed

Filename	Size	Change
dist/stellar-sdk-minimal.js	6.2 MB	+146 kB (+2.42%)
dist/stellar-sdk-minimal.min.js	5.2 MB	+65.6 kB (+1.28%)
dist/stellar-sdk-no-axios.js	6.2 MB	+146 kB (+2.42%)
dist/stellar-sdk-no-axios.min.js	5.2 MB	+65.6 kB (+1.28%)
dist/stellar-sdk-no-eventsource.js	6.31 MB	-6.63 kB (-0.1%)
dist/stellar-sdk-no-eventsource.min.js	5.35 MB	-6.71 kB (-0.13%)
dist/stellar-sdk.js	6.31 MB	-6.63 kB (-0.1%)
dist/stellar-sdk.min.js	5.35 MB	-6.71 kB (-0.13%)

_{compressed-size-action}

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the fallback path (when AbortSignal.timeout isn't available), controller.abort(new Error("TimeoutError")) usually makes fetch reject with an AbortError (or another error whose name isn't TimeoutError), so the boundedFetchAdapter catch block won't translate it into the axios-style timeout of Nms exceeded. Consider aborting with a DOMException named TimeoutError (or setting reason.name = "TimeoutError"), and/or checking signal.reason when mapping to a timeout error.

[Copilot]

Disabling noImplicitAny for the entire test project reduces type-safety and can mask mistakes across the suite. If this was done to accommodate a few tests, consider keeping it enabled and using local casts or targeted @ts-expect-error where needed.

Suggested change

	"noImplicitAny": false,
	"noImplicitAny": true,

[Copilot]

There are multiple extra blank lines before the ### Deprecated section; consider removing them to keep the changelog formatting consistent.

Suggested change

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	msw@​2.13.4

View full report