Trie: Analyze readable-steam Dependency Removal/Replacement Options
#3218
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The readable-stream package is used relatively low in our stack (in trie here) and has a significant amount of dependencies (5!, including beauties like
buffer). I followed all and the situation seems not totally out of control, all end relatively soon in a non-dependency subdependency.Nevertheless: suboptimal from a security perspective and at least close to a needs-somewhat-urgent-action situation.
We should analyze and weight our options here. Functionality is directly exposed by trie in the
createReadStream()method and then used in the state manager indumpStorage(). So, relatively isolated, complete removal is nevertheless problematic.There is a Web Streams API existing, Node.js is also supporting this since I think v16+.
Maybe it is therefore an option to use web streams as a replacement. Not sure on both 1) how long the API already exists in the JavaScript/Browser world and 2) what happens on transpilation/compilation with an import like
const { ReadableStream } = require('node:stream/web')? 🤔 Will this automatically produce cross-plattform compatible code? (likely not I would say? but maybe one can integrate in such a way?).Anyhow. This as a first problem description. Would be good if this gets picked up at some point soon (or someone at least contributes by bringing the analysis further down the road).
The text was updated successfully, but these errors were encountered: