[@vercel/blob] Read OIDC token via @vercel/oidc instead of inlined copy#1072
Merged
Conversation
Blob shipped its own inlined copy of the Vercel request-context reader, so its OIDC support wasn't discoverable from the package's dependencies — an agent had to read the bundled source to learn it used OIDC at all. Depend on @vercel/oidc and use its `getContext` primitive. Behavior is unchanged: Blob keeps its own resolution policy (trim tokens, ignore a blank `x-vercel-oidc-token` header in favor of `VERCEL_OIDC_TOKEN`), since @vercel/oidc's own token readers neither trim nor fall back on blank headers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: a6e6df0 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Depending on @vercel/oidc transitively pulls in jose (via verifyVercelOidcToken,
which Blob never calls). jose's browser/edge entry is ESM-only, so the jsdom and
edge-runtime jest environments resolved it and failed to parse it ("Unexpected
token 'export'") since jest doesn't transform node_modules. The node env was
unaffected because jose resolves to CJS there.
Move the jest config to jest.config.cjs and map `jose` to its CJS build in all
test environments. Blob doesn't use jose directly, so this only affects test
module resolution. Node/edge/browser suites all pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Switch the OIDC reader from @vercel/oidc's low-level `getContext` to its `getVercelOidcTokenSync`, matching how every other consumer uses the package. The wrapper converts the lib's "missing token" throw to undefined (so callers fall through to BLOB_READ_WRITE_TOKEN) and treats a blank token as absent. Behavior change (edge case): a blank `x-vercel-oidc-token` header now resolves to no token instead of falling back to VERCEL_OIDC_TOKEN, since the library selects the header whenever its key is present. Test updated accordingly. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
elliotdauber
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
@vercel/blobshipped its own inlined copy of the Vercel OIDC token reader (theSymbol.for('@vercel/request-context')lookup + env fallback) rather than depending on@vercel/oidc. With no@vercel/oidcentry in its dependencies, blob's OIDC support was invisible from the package surface — to learn blob even uses OIDC, you had to read the bundled/minifieddistsource. (This came out of a thread where an agent burned ~20 min reverse-engineering blob auth from the dependency's code.)Solution
Depend on
@vercel/oidcand read the token via itsgetVercelOidcTokenSync— the same entry point every other consumer (apps/*, the AWS credential providers,@vercel/functions/oidc) uses. The OIDC dependency is now explicit and discoverable.Blob's wrapper converts the library's "missing token" throw to
undefined(so callers fall through toBLOB_READ_WRITE_TOKEN) and treats a blank token as absent.Behavior change (one edge case): a blank
x-vercel-oidc-tokenrequest-context header now resolves to no token rather than falling back toVERCEL_OIDC_TOKEN, because the library selects the header whenever its key is present. Everything else is unchanged.Notes
@vercel/oidctransitively pulls injose, whose browser build is ESM-only and broke the jsdom/edge jest environments (Unexpected token 'export'). blob is the first browser/edge-targeting consumer of@vercel/oidc, so this surfaces only here. Fixed by pinningjoseto its CJS build in jest config (blob doesn't use jose directly).Validation
🤖 Generated with Claude Code