Make undici a peer dependency and document immutable releases

[vadimpiven]

Move undici from dependencies to peerDependencies (>=7.0.0) to avoid instanceof failures when consumers use their own undici copy with setGlobalDispatcher. Add immutable GitHub releases mention to the installation safety section of the README.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the project's dependency structure by reclassifying undici as a peer dependency, which resolves potential runtime conflicts for consumers. Concurrently, it enhances the project's security posture by documenting the immutability of GitHub releases, providing greater assurance regarding the integrity of downloaded binaries.

Highlights

• Dependency Management: The undici package has been moved from a direct dependency to a peer dependency (>=7.0.0) and a development dependency. This change aims to prevent instanceof failures that can occur when consumers use their own undici copy with setGlobalDispatcher.
• Documentation Update: The README.md file has been updated to include a section on immutable GitHub releases within the 'Installation safety' documentation. This clarifies that release assets cannot be modified post-publication, enhancing supply chain security transparency.

Changelog

• packages/node/README.md
  • Updated the 'Installation safety' section to include information about immutable GitHub releases.
  • Adjusted table formatting and code indentation for consistency.
• packages/node/package.json
  • Moved undici from dependencies to devDependencies.
  • Added undici to peerDependencies with a version requirement of >=7.0.0.
• pnpm-lock.yaml
  • Updated the lockfile to reflect the change of undici from a direct dependency to a development dependency.

Activity

• No specific activity (comments, reviews, progress) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly moves undici to peerDependencies to avoid potential instanceof issues for consumers of this package. It also enhances the README.md by documenting the use of immutable GitHub releases, which is a great addition for security transparency. However, I've identified a potential compatibility issue regarding the Node.js versions supported and the new undici peer dependency requirement, which could affect users on Node.js 20. My review comment details this issue and offers suggestions for resolution.

[greptile-apps]

Greptile Summary

This PR correctly moves undici from a direct dependency to a peerDependency (>=7.0.0), addressing instanceof failures that occur when consumers supply their own undici copy with setGlobalDispatcher. The package's Agent class extends Dispatcher and uses Response from undici at runtime (in export/agent.ts), so requiring the consumer to own the undici instance is the correct architectural choice. undici is retained in devDependencies for local development and testing.

Key changes:

• undici moved from dependencies to peerDependencies and devDependencies
• README Installation safety section updated to document GitHub's immutable releases guarantee
• The direct reference link to the postinstall script was removed; users can navigate to the repository to inspect it if needed
• Lock file updated to reflect the dependency restructuring

Confidence Score: 5/5

• Safe to merge; the architectural change to peer dependencies is well-motivated and correctly implemented.
• The PR correctly restructures undici from a direct dependency to a peer dependency, fixing real instanceof failures that occur when consumers provide their own undici copy with setGlobalDispatcher. The code verification confirms that Agent extends Dispatcher and instantiates Response at runtime, making the consumer-owned instance model the right choice. The README documentation update appropriately references GitHub's immutable releases guarantee for installation safety.
• No files require special attention

_{Last reviewed commit: f9d7390}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!