feat: enable custom lookup for httpclient and fetch

[Dipper30]

1. enable custom dns lookup by setting app config (curl, safeCurl, fetch, safeFetch supported)
2. test cases added

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Dipper30, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement by allowing developers to define a custom DNS lookup function for all outgoing HTTP requests made through the application's httpclient and fetch utilities. This provides greater flexibility and control over how hostnames are resolved, which can be crucial for custom network environments, testing, or specific security requirements. The changes ensure that this custom lookup mechanism is consistently applied across the application's HTTP request lifecycle.

Highlights

• Custom DNS Lookup: Introduced the ability to configure a custom DNS lookup function for httpclient and fetch operations via config.httpclient.lookup.
• Integration with HTTP Clients: The custom lookup function is now applied to FetchFactory, HttpClient, and HttpClientNext instances, ensuring consistent behavior across different HTTP request mechanisms.
• Enhanced Test Coverage: Added new test fixtures and a dedicated test file (dns_resolver.test.js) to thoroughly validate the custom DNS lookup functionality for both curl and fetch.
• Configuration Loading Order: Adjusted the order of this.loader.loadConfig() in EggApplication to ensure that httpclient configurations, including the new lookup option, are available when FetchFactory is initialized.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a feature to enable custom lookup functions for httpclient and fetch, which is a valuable addition. The implementation correctly propagates the lookup configuration in most places. However, I've identified a few critical issues where per-request or per-call options are unconditionally overridden by the global configuration, which would prevent users from specifying their own lookup functions for specific calls. Additionally, there are some logic errors and areas for improvement in the new test files. My review includes suggestions to fix these issues to ensure the feature works as expected and the new tests are robust.

[killagu]

LGTM

[Copilot]

Pull request overview

This PR enables custom DNS lookup functionality for Eggjs's HTTP client and fetch APIs. It allows developers to configure a custom DNS resolution function through the httpclient.lookup config option, which applies to curl, safeCurl, fetch, and safeFetch methods. The implementation includes comprehensive test coverage with a new test fixture application.

Key Changes:

• Added support for custom lookup function in httpclient configuration that applies across all HTTP client methods
• Modified fetch factory to initialize with custom lookup options per application instance
• Enhanced TypeScript definitions to include the LookupFunction type

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
lib/core/fetch_factory.js	Added fetch function export with custom lookup initialization logic; modified safeFetch to support custom lookup
lib/egg.js	Updated fetch binding to use new fetch function; added lookup option passing to createHttpClient
lib/core/httpclient.js	Added lookup option support from app config
lib/core/httpclient_next.js	Added lookup option support and propagation to SSRF client
index.d.ts	Added LookupFunction type import and lookup property to HttpClientConfig interface
test/lib/core/fetch_factory.test.js	Added custom lookup test configuration
test/lib/core/dns_resolver.test.js	New comprehensive test suite for custom DNS lookup functionality
test/fixtures/apps/dns_resolver/*	New test fixture app with custom lookup configuration

Comments suppressed due to low confidence (1)

lib/core/fetch_factory.js:46

• The ssrfFetchFactory is a module-level singleton that persists across all application instances. In scenarios where different app instances need different lookup or checkAddress configurations, they will incorrectly share the same factory instance initialized by the first app. This could lead to security issues or incorrect DNS resolution. Consider making this factory instance-specific or properly scoping it to each application instance.

    safeFetch = function safeFetch(url, init) {
      if (!ssrfFetchFactory) {
        const ssrfConfig = this.config.security?.ssrf;
        const clientOptions = {};
        if (ssrfConfig?.checkAddress) {
          clientOptions.checkAddress = ssrfConfig.checkAddress;
        } else {
          this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
        }
        if (this.config.httpclient?.lookup) {
          clientOptions.lookup = this.config.httpclient.lookup;
        }
        ssrfFetchFactory = new FetchFactory();
        ssrfFetchFactory.setClientOptions(clientOptions);
      }
      return ssrfFetchFactory.fetch(url, init);
    };

[Copilot]

The fetchInitialized flag is a module-level singleton that persists across all application instances. In a testing environment where multiple app instances may be created, this flag will remain true after the first instance initializes fetch, preventing subsequent instances from properly configuring their lookup function. This could lead to incorrect behavior in tests or multi-instance scenarios. Consider making this flag instance-specific or resetting it appropriately.

[codecov]

Codecov Report

❌ Patch coverage is 94.11765% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 99.42%. Comparing base (e1c45db) to head (d269a95).
⚠️ Report is 4 commits behind head on 3.x.

Files with missing lines	Patch %	Lines
lib/core/httpclient_next.js	60.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##              3.x    #5749      +/-   ##
==========================================
- Coverage   99.58%   99.42%   -0.17%     
==========================================
  Files          36       36              
  Lines        3653     3678      +25     
  Branches      545      546       +1     
==========================================
+ Hits         3638     3657      +19     
- Misses         15       21       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	supertest@​6.3.4
	koa-is-json@​1.0.0
	humanize-ms@​1.2.1
	node-libs-browser@​2.2.1
	koa-static@​5.0.0
	spy@​1.0.0
	react@​16.14.0
	pedding@​1.1.0
	onelogger@​1.0.1
	sendmessage@​2.0.0
	jsdoc@​3.6.11
	on-finished@​2.4.1
	is-type-of@​2.2.0
	koa-bodyparser@​4.4.1
	ts-node@​10.9.2
	koa-override@​3.0.0
	node-forge@​1.3.3
	ylru@​1.4.0
	tsd@​0.28.1
	utility@​2.5.0
	sdk-base@​3.6.0 ⏵ 4.2.1			+1
	react-router@​5.3.4
	ms@​2.1.3
	umi@​3.5.43
	typescript@​5.9.3
	react-dom@​16.14.0
	urllib@​2.44.0
	urllib@​4.9.0
	koa@​2.16.3
	prettier@​2.8.8

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Prototype Pollution in npm immer CVE: GHSA-33f9-j839-rf8h Prototype Pollution in immer (CRITICAL) Affected versions: >= 7.0.0 < 9.0.6 Patched version: 9.0.6 From: ? → npm/@umijs/preset-react@2.1.7 → npm/immer@8.0.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/immer@8.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential typosquat: npm slash2 as a typo of slash Did you mean: slash2 From: ? → npm/dumi@1.1.54 → npm/dumi-theme-egg@1.2.4 → npm/slash2@2.0.0 ℹ Read more on: This package | This alert | What is a typosquat? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/slash2@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm safer-buffer is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: ? → npm/urllib@2.44.0 → npm/egg-bin@6.13.0 → npm/egg-logger@3.6.1 → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[fengmk2]

我先修复一下 3.x 的 auto release 脚本���好了会合并。

[fengmk2]

https://github.com/eggjs/egg/releases/tag/v3.32.0