-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buffer: runtime-deprecate Buffer constructor everywhere by default #21351
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has to happen at some point, IMO. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m sorry if you saw this coming, but I’m -1 on this.
- The changes in v10.x make it a lot less likely that new code relying on the Buffer constructor will be introduced
- v6.x is in maintenance mode; by the time we release this, it will have only half a year left until EoL, so I don’t think we should consider the lack of zero-filling on that release line as an issue (and we could probably introduce it at this point anyway)
- For those who do care about the DoS vector,
--pending-deprecation
is a sensible way of detecting potentially problematic usage
Then I guess this will go back to the TSC agenda. |
@seishun If you meant to put it on the @nodejs/tsc agenda, please add the I have mixed feelings about putting this on the agenda at this time, but I (and anyone else) can't stop it, so go for it if you think that's the right thing to do. One thing I expect will be wanted before a decision is made is some idea (from gzemnid or elsewhere) as to whether usage is declining or not now that we have the warning for code outside of
Not sure what to do about that conundrum but I suppose that's not exactly your problem to solve. :-D Maybe the rule should be: If someone asks for data, they need to state beforehand how the different possible trends will affect their decision. |
@Trott It was just a prediction. I was hoping that this could get resolved without actually putting it on the agenda, but it seems unavoidable now given the lack of activity. |
I am -1 for the time being.
I suspect the new npm audit command is helping a lot in fixing those issues.
The warning is reported doing npm install, so the user is warned.
@Trott <https://github.com/Trott> It was just a prediction. I was hoping
… that this could get resolved without actually putting it on the agenda, but
it seems unavoidable now given the lack of activity.
—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
<#21351 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADL418ImkaM7D2PWZmVfpr5QF3YLAmhks5t_T2QgaJpZM4UphOs>
.
|
npm doesn't warn about Buffer usage. |
Most of the old packages had a vulnerability reported and a CVE for this.
At least those with the highest download numbers.
Il giorno sab 23 giu 2018 alle 11:30 Nikolai Vavilov <
notifications@github.com> ha scritto:
… I suspect the new npm audit command is helping a lot in fixing those
issues. The warning is reported doing npm install, so the user is warned.
npm doesn't warn about Buffer usage.
—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
<#21351 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADL46i1ofFTGVP8s2uS7PcsX48piaGqks5t_ibfgaJpZM4UphOs>
.
|
@seishun, @nodejs/tsc This is targeting Node.js 11.0 at least, as it's a I think that it's too early for a decision at this point, as 4.x reached EOL just recently, and people are currently actively dropping support for it. But last time I checked, I.e. I don't think that we should decide now will it go into 11.0 or not. I would prefer to wait some more time closer to 11.0 release to see how the ecosystem looks like.
That doen't remove the benefits here. There is a large number of efficiently unmaintained modules at npm that would not update and that people would not migrate off unless we land this (nobody cares about unmaintained code in deps), and that would take too long for someone to review if their usage of Buffer is safe or not. |
I am doing this entirely in my free time, and I target high-impact modules (i.e. sort by popularity). And what we have currently won't force the less maintained modules to update, it's just preventing the growth of the problem somewhat. |
This was discussed in the TSC meeting today. The consensus was that we should follow @ChALkeR suggestion and wait until ~August to review the state of the ecosystem at that point and make a decision. Will remove from TSC agenda, if still necessary, please re-add when the time comes. |
I updated the data. Everyone involved should have access, AnalysisDepecated Buffer() constructor usage seems to have only grown from February when measured by packages count, but downloads/month fell down by 30%, though — so the increase in packages count is just caused by a large number of new (yet) unpopular modules. Also, that growth in modules count using Usage in downloads/month has decreased, but that decrease is not big enough and there are large and widely used modules that are effectively unmaintained and do not even land PRs to fix Buffer usage for a long time. E.g., Joyent-owned, e.g: TritonDataCenter/node-asn1#30 and TritonDataCenter/node-http-signature#67. Personal opinionAs it looks now, it seems unlikely to me that it would be possible to completely runtime-deprecate Buffer constructor in 11.0 without a major fallout. My opinion re: 11 will change if the usage significantly decreases over the next month, but I find that unlikely. Even if we don't land this in time for v11, I hope that we make at least some change to speed up the migration, something that will include code from The thing is, the current deprecation is ineffective for not-very-supported modules to update their code, as users don't see the warnings from On the other hand, at this point displaying the warning for code inside So, some ideasThe trick would be to somehow print warnings for code in dependencies, so dependencies would be notified of this, but at the same time not print out those warnings by default to just every unsuspecting Node.js user out there. That has to be reproducable, preferrably without users having to add flags just to reproduce the warning they observed without the flag. Because of that, just randomizing and displaying for 1% runs would be a bad idea. 1. Time-based approachPrint warnings for both code outside of That needs testing, but I expect it include only a small additional portion of code from 2. Depth-based approachPerhaps, we can measure the require chain length? I.e. print warning for the code in That could be more fragile though, I guess, and reach out less modules out there. E.g. if user->A->B->C, and B is an unmaintained module, no one would notice warnings from C. |
Who do you mean by users? If you mean developers who are using the module, then they have the option of migrating off the module or forking it, if all else fails. |
It's now August everywhere on Earth, so re-adding to the agenda. |
Should this stay open? |
Is there a reason not to? |
Since we're coming up on the 12.x release in less than two months, I guess it's a good time to check in on the TSC folks that have reviewed this already. @apapirovski Are you still +1 on this landing on master at this time? @addaleax Still a -1 for the reasons provided? @mcollina @fhinkel Still -1 from both of you for the reasons you provided too? @Fishrock123 had asked to be a permanent abstention on Buffer constructor stuff, but I'm not sure if it was tongue-in-cheek or not. Anyone else on @nodejs/tsc have a definite opinion at this time? This isn't a vote (yet, at least), but I think it's useful to know where people stand. (Since a vote is likely, having the conversation before it comes to that will help the vote come to a conclusion faster.) |
I’m still -1. |
Yes, I’m still -1. |
Still +1 but I don't feel strongly about this. |
@seishun Should we try to land this for 14? |
@fhinkel Sure, I'll be happy to rebase it if there's support for it. |
Hi @nodejs/tsc , we have some plus and minus ones on this. Can we revisit whether this should land in the next release? |
Summarizing the current status in case it's helpful for anyone else: Ultimately, this is about estimating the value of the security improvement, estimating the cost of user/maintainer pain, and deciding if the former is worth the latter.
Users already get a runtime deprecation warning right now if Lastly, there are three competing interests here, I think:
Those three populations are not distinct. A single person can belong to all three, two, one, or none of the above. |
8ae28ff
to
2935f72
Compare
@nodejs/tsc ... should we keep this PR open? Do we anticipate that we will ever do a full runtime deprecation on the Buffer constructor? |
My take is that we don't runtime deprecate this API. |
@nodejs/tsc given that there's roughly a year and a half of people asking the TSC if this should land without a definitive "yes" but several definitive "no", we should consider this a "no" and close it out? |
Is there any new/updated data available on Buffer constructor usage in the ecosystem? |
+1 to closing. If we ever do decide to do this, we can open a new PR or re-open this one. |
I'm going to close this given the above +1 plus two 👍🏻 and the context that this has been stale for an excessively long time without progress. If folks do want to approach this again, feel free to reopen this or create a totally new PR. |
Creating a new PR per the vote in #15346 (comment).
Some backstory:
Buffer.from()
,Buffer.allocUnsafe()
andBuffer.alloc()
) were introduced to address security concerns of the Buffer constructor, which was deprecated in the docs in the same version. (see buffer: add Buffer.from(), Buffer.alloc() and Buffer.allocUnsafe(), soft-deprecate Buffer(num) #4682, Buffer(number) is unsafe #4660)--pending-deprecation
flag, the use ofBuffer()
andnew Buffer()
causes aDeprecationWarning
to be emitted. (see src, buffer: add --pending-deprecation flag #11968)node_modules
, with a plan to enable it for all code in a "later release". (see buffer: do deprecation warning outsidenode_modules
#19524 (comment)).Several reasons for enabling runtime deprecation by default, in no particular order:
Buffer(num)
instead ofBuffer(string)
due to insufficient input validation.Buffer(num)
zero-fills by default since 8.0.0, preventing accidental data disclosure. (see buffer: zero fill Buffer(num) by default #12141) However, it was not backported to earlier Node.js versions, which could result in security issues if new code is written with the assumption of zero-filling and then run on Node.js versions that don't zero-fill. (this and above is described in more detail here)Buffer(num)
zero-fills and still be using it in performance-critical code, whereBuffer.allocUnsafe()
might be more appropriate.Buffer()
withoutnew
would be runtime-deprecated as well, so this functionality could potentially be removed in a later Node.js version. This would make it possible to refactorBuffer
into a proper ES6 class that can be subclassed.--pending-deprecation
flag to test their code in the future. This will in turn allow us to introduce new runtime deprecations more smoothly by going through the "behind-the-flag" stage first.Reasons why runtime deprecation only outside of
node_modules
is insufficient:Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes