Drop eventsource polyfill to let users opt in to streaming support

[Shaptic]

What

This omits eventsource by default from the bundle so that users can opt in specifically if they want streaming support.

Why

This module is quite problematic in certain environments, and it unnecessarily limits the developer experience for those that do not care about streaming support (e.g. just not needing it, or being Soroban-only).

Testing

Confirmation would be deeply appreciated, as all I did was test with a basic example Node project:

mkdir test-streaming/
cd test-streaming/
yarn init -y
yarn add git+https://github.com/stellar/js-stellar-sdk.git#6378aae
cat > index.js <<END
const { Horizon } = require("@stellar/stellar-sdk")
const s = new Horizon.Server("https://horizon-testnet.stellar.org");
s.transactions().stream({
    onmessage: (record) => console.log(record),
    onerror: (data) => console.log(data)
});
END

Then, we can see the difference before and after installing eventsource:

$ node index.js
⚠️ No EventSource provider found: either polyfill it (e.g. `npm i eventsource`) or you will not have streaming support.
⚠️ The import error was: Error: Cannot find module 'eventsource'
⚠️ No EventSource provider found: there is no streaming support unless you polyfill it (e.g. `npm i eventsource`).
TypeError: EventSource is not a constructor
    at createEventSource (.../streaming-test/node_modules/@stellar/stellar-sdk/lib/horizon/call_builder.js:68:16)
    at TransactionCallBuilder.stream (.../streaming-test/node_modules/@stellar/stellar-sdk/lib/horizon/call_builder.js:118:7)
    at Object.<anonymous> (.../streaming-test/index.js:5:18)
    at Module._compile (node:internal/modules/cjs/loader:1256:14)
    ...

The third warning line is included in case the user does not have an onerror handler for their stream, to ensure that the error is regularly visible.

$ yarn add eventsource && node index.js
node index.js       
{
  _links: {
    self: {
      href: 'https://horizon-testnet.stellar.org/transactions/b9d0b2292c4e09e8eb22d036171491e87b8d2086bf8b265874c8d182cb9c9020'
    },
    ...

e.g. @aristidesstaffieri and @piyalbasu, could you check that this branch works in Freighter?

[github-actions]

Size Change: -1.68 MB (-15%) 👏

Total Size: 9.76 MB

Filename	Size	Change
dist/stellar-sdk.js	5.47 MB	-868 kB (-14%)	👏
dist/stellar-sdk.min.js	4.29 MB	-809 kB (-16%)	👏

_{compressed-size-action}

[piyalbasu]

@Shaptic Thanks for flagging! I just installed this locally and ran through some smoke tests. Freighter builds and runs as expected 🎉

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@babel/[email protected]	None	0	65.2 kB	nicolo-ribaudo
npm/@babel/[email protected]	environment, filesystem, unsafe	+15	2.79 MB	nicolo-ribaudo
npm/@babel/[email protected]	None	+3	624 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	+7	555 kB	nicolo-ribaudo
npm/@babel/[email protected]	None	0	1.88 MB	nicolo-ribaudo
npm/@babel/[email protected]	environment, filesystem Transitive: unsafe	+96	2.65 MB	nicolo-ribaudo
npm/@types/[email protected]	None	+1	2.1 MB	types
npm/[email protected]	None	+43	3.26 MB	ljharb
npm/[email protected]	environment	+2	453 kB	isaacs
npm/[email protected]	environment, eval, filesystem	+45	3.96 MB	voxpelli
npm/[email protected]	None	0	32.4 MB	typescript-bot

🚮 Removed packages: npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[kalepail]

Weekly reminder that merging this would make me a very happy man

My life is pain

This is the remedy

🎵

[kalepail]

Also noting that I'd like to have this line considered for addition
https://github.com/kalepail/js-stellar-sdk/blob/make-eventsource-optional/package.json#L154
Essentially pinning the build tool for our included lockfile. Yarn 1 is very outdated and this can cause issues with automated CI/CD build tools like Cloudflare Pages which will try to use yarn 3

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Native code	npm/[email protected]	Location: Package overview	package.json
Filesystem access	npm/[email protected]	Module: fs Location: Package overview	package.json

View full report↗︎

Next steps

What's wrong with native code?

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

What is filesystem access?

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]

[Shaptic]

It's a huge breaking change so I don't want to merge it just yet 😅 would rather have it alongside other big stuff

[Shaptic]

Yarn 1 is very outdated

If it ain't broke... upgrading to 3 seems like a pain in the ass for little benefit. But I've added the version lock as you requested!

[Shaptic]

Done formally as part of v13.0.0