Disable node-fetch gzip on token request to fix ERR_STREAM_PREMATURE_CLOSE

[spencerhunter]

Summary

Passes compress: false on the OAuth token request in src/dwolla/Auth.js so node-fetch skips the gunzip pipeline that surfaces false-positive ERR_STREAM_PREMATURE_CLOSE errors.

Node.js v24.17.0+ changed http.Agent keep-alive socket teardown timing (response queue poisoning fix), which exposes a latent node-fetch@2 bug: gzip + chunked responses read over a reused keep-alive socket raise a premature-close error from the Gunzip stream even though the full payload arrived. See nodejs/node#63989.

Verified against node-fetch 2.7.0 source — compress: false both omits the Accept-Encoding request header (lib/index.js:1359, so the upstream returns an uncompressed Content-Length body) and skips the zlib.createGunzip() decode path (lib/index.js:1664).

Scope: token endpoint only

Two customer reports (production api.dwolla.com and sandbox api-sandbox.dwolla.com) show every failure occurs at the /token fetch, before any downstream API call runs — e.g. a getOrCreateDwollaCustomer call errors out during token retrieval. "Multiple API calls affected" means many features broke because each needs a token first; the Token.js data-call fetches (get/post/delete) were never reached and show no evidence of being affected.

The fix is therefore scoped to the token request only:

• The token payload is ~109 bytes, so disabling gzip there has no cost.
• Leaving compression enabled on the data calls preserves gzip on potentially large list responses (customers, transfers). If those are ever confirmed affected, the upstream Node fix (PR #64004) or a keep-alive adjustment would be preferable to permanently disabling compression.

Changes

• Add compress: false to the token request in Auth.js
• Bump version 3.4.1 → 3.4.2; sync package-lock.json (was stale at 3.4.0)
• Add 3.4.2 changelog entry referencing http: node-fetch throws ERR_STREAM_PREMATURE_CLOSE on keep-alive socket closures after latest security releases nodejs/node#63989

Testing

• eslint and prettier pass
• Test suite: 14 passing / 5 failing — the 5 failures are pre-existing on clean main (a Node v22/nock stream incompatibility in the test harness), not introduced by this change

[spencerhunter]

Reproduction & fix verification

Reproduced the bug and verified the fix end-to-end against the live sandbox token endpoint on the first affected Node version.

Environment

• Node.js v24.17.0 (first version affected by nodejs/node#63989)
• node-fetch 2.7.0, dwolla-v2 @ 3.4.2 (this branch)
• Endpoint: https://api-sandbox.dwolla.com/token (environment: "sandbox")
• Driver: client.auth.client() in a loop (uncached POST /token, keep-alive socket reuse)

Before fix (no compress: false in Auth.js):

=== BEFORE (no compress:false) ===
FAILED on iteration 0: ERR_STREAM_PREMATURE_CLOSE Invalid response body while trying to fetch https://api-sandbox.dwolla.com/token: Premature close

Failed on the very first request — matches both customer reports (production + sandbox).

After fix (compress: false on the token request):

=== AFTER (with compress:false) ===
All 300 token requests succeeded — no premature close.

Same Node version, endpoint, and credentials between runs; the only difference was the one-line compress: false. Result: 0/300 → 300/300.

Repro script (run with Node ≥ 24.17.0; not committed to the repo)

// Reproduces ERR_STREAM_PREMATURE_CLOSE against the Dwolla token endpoint.
// Requires Node >= 24.17.0. Uses the local SDK source so toggling the fix in
// src/dwolla/Auth.js changes behavior without reinstalling.
const { Client } = require("./src/index.js");

const ITERATIONS = parseInt(process.env.ITERATIONS || "200", 10);

const client = new Client({
  key: process.env.DWOLLA_KEY,
  secret: process.env.DWOLLA_SECRET,
  environment: process.env.DWOLLA_ENV || "sandbox"
});

(async () => {
  let ok = 0;
  for (let i = 0; i < ITERATIONS; i++) {
    try {
      await client.auth.client(); // POST /token, uncached, reuses keep-alive socket
      ok++;
      process.stdout.write(`ok ${ok}/${ITERATIONS}\r`);
    } catch (err) {
      console.error(`\nFAILED on iteration ${i}: ${err.code || ""} ${err.message}`);
      process.exit(1);
    }
  }
  console.log(`\nAll ${ITERATIONS} token requests succeeded — no premature close.`);
})();

Run:

nvm use 24.17.0
DWOLLA_KEY=... DWOLLA_SECRET=... DWOLLA_ENV=sandbox ITERATIONS=300 node repro.js

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request