CVE-2026-48931 Shouldn't Have Been a CVE
The guard I wrote used a public 'data' listener on the idle socket. node-fetch@2 inspects socket.listenerCount('data') to infer stream state, and with my listener attached it observed a count greater than zero during response close and reported false ERR_STREAM_PREMATURE_CLOSE errors. Because it landed in a coordinated security release across 22.x, 24.x, and 26.x at once, the blast radius was immediate and wide: