httpMiddleware sets manual Content-Length that breaks under Node 24 + strict fetch implementations

[johnsonogwuru]

Affected versions

• @commercetools/ts-client@4.9.1 (likely earlier)

Environment

• Node.js 24.11.0
• httpClient: fetch (Node global / undici-backed)

Problem

In createHttpMiddleware$1, every body-bearing request unconditionally sets:

requestHeader['Content-Length'] = byteLength(body);

When httpClient: fetch is configured, this becomes redundant because the fetch runtime computes Content-Length from the request body itself.

Under Node 24's bundled fetch, the manual value gets duplicated: bundled fetch's auto-Content-Length step appends its computed value on top of the user-supplied one, and HeadersList.append joins them with ", ".
The result is e.g. "666, 666".

When npm undici 8.2.0+ is also installed (in the case of commercetools Checkout) which it commonly is, transitively, and which auto-installs itself as the global dispatcher via lib/global.js its stricter processHeader (PR nodejs/undici#5060) rejects the joined string, throwing:

InvalidArgumentError: invalid content-length header
    at processHeader (undici/lib/core/request.js:503)
    at new Request (undici/lib/core/request.js:264)

Suggested fix

Don't set Content-Length manually when the configured httpClient is fetch-shaped. The fetch spec dictates the runtime computes it, and any user-supplied value is at best redundant and at worst (as here) actively harmful.

If a manual value is still needed for axios compat, gate it on httpClient !== fetch / httpClient.name !== 'fetch', or move it behind an opt-in option.

Wdyt?

[ajimae]

@johnsonogwuru Thanks for reporting this issue. Please can you provide a code snippet that can enable us reproduce this issue on our end?

Thanks

[johnsonogwuru]

@ajimae this is a snippet of what we have.

import 'undici';
import { ClientBuilder } from '@commercetools/ts-client';
import { createApiBuilderFromCtpClient } from '@commercetools/platform-sdk';

const client = new ClientBuilder()
  .withMiddleware((next) => async (request) => {
    request.headers = { ...(request.headers ?? {}), authorization: 'Bearer <xxxx>' };
    return next(request);
  })
  .withHttpMiddleware({
    host: 'https://api.europe-west1.gcp.commercetools.com',
    httpClient: fetch,
  })
  .build();

const api = createApiBuilderFromCtpClient(client);

try {
  await api
    .withProjectKey({ projectKey: 'any-project' })
    .carts()
    .withId({ ID: '00000000-0000-0000-0000-000000000000' })
    .post({
      body: {
        version: 1,
        actions: [{ action: 'setShippingAddress', address: { country: 'DE' } }],
      },
    })
    .execute();
  console.log('request constructed successfully (would now hit the network)');
} catch (err) {
   console.log(err)
}

[johnsonogwuru]

Because this is happening, I have implemented this safeFetch this walk-around on our app to strip Content-Length before delegating to fetch so undici computes the single correct value from the body itself.

const safeFetch: typeof fetch = (input, init) => {
  if (init?.headers) {
    const h = new Headers(init.headers as HeadersInit);
    h.delete('content-length');
    init = { ...init, headers: h };
  }
  return fetch(input, init);
};

[ajimae]

@johnsonogwuru thanks for the snippet. I tried running the snippet and it seems to work just fine. I made a little adjustment to the snippet.

// require('undici');
const { ClientBuilder } = require('@commercetools/ts-client');
const { createApiBuilderFromCtpClient } = require('@commercetools/platform-sdk');

const client = new ClientBuilder()
  .withMiddleware((next) => async (request) => {
    request.headers = { ...(request.headers ?? {}), authorization: 'Bearer **-Fs7SkKbQFlj-B4uS4aofR_********' };
    return next(request);
  })
  .withHttpMiddleware({
    host: 'https://api.europe-west1.gcp.commercetools.com',
    httpClient: fetch,
  })
  .build();

const api = createApiBuilderFromCtpClient(client);

// create a cart
async function createCart() {
  const response = await api
    .withProjectKey({ projectKey: process.env.CT_PROJECT_KEY })
    .carts()
    .post({
      body: {
        currency: 'EUR',
      },
    })
    .execute();

  return response.body;
}

// update a cart
(async () => {
  try {
    const response = await createCart();
    console.log(response.id, response.version);

    await api
      .withProjectKey({ projectKey: process.env.CT_PROJECT_KEY })
      .carts()
      .withId({ ID: response.id })
      .post({
        body: {
          version: 1,
          actions: [{ action: 'setShippingAddress', address: { country: 'DE' } }],
        },
      })
      .execute();
    console.log('request constructed successfully (would now hit the network)');
  } catch (err) {
    console.log(err)
  }
})();

I took a closer look at the undici repo and the embedded link you provided in the issue and it seems like the issue that caused the user-specified content-length header to be appended to that internally computed internally was fixed here.

For me everything seems to work just fine. 🤔
My testing environment:

node --version
v24.14.1

node -e "console.log(process.versions.undici)"
7.24.4

Also, I think it will make more sense to allow undici to handle the computation of the content-length. I will go ahead and remove the block responsible for manually setting the content-length.

Thanks

[ajimae]

This is now done, you can find the new version here.

[johnsonogwuru]

Thank you! I will close the issue.