-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buffer: hard-deprecate calling Buffer without new #8169
Conversation
LGTM, and really, thanks for doing this. |
LGTM too. |
@@ -65,6 71,9 @@ function alignPool() { | |||
* would ever actually be removed. | |||
**/ | |||
function Buffer(arg, encodingOrOffset, length) { | |||
if (!(this instanceof Buffer)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps new.target
instead? https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
if (!new.target) {
// print deprecation warning
}
LGTM once the comments above are fixed. One question, though — are there no tests that are affected by this? |
This should also include a test case that ensures that the deprecation warning is emitted when expected |
Btw, should this also hard-deprecate |
Good point @ChALkeR ... it probably should. /cc @trevnorris |
We could start filing some issues in advance. Edited. |
With that many occurrences, I feel we might need to do a longer deprecation cycle on this. Even with PRs, it could take awhile for patches to trickle down from deps of deps. |
@Quard, that's only 1193 modules (approx), and I expect this list to look much less scary once they are ordered by the actual downloads/month stats. I will begin filing issues to the most important ones, see sidorares/node-mysql2#380 for an example. |
I don't see the point. As far as I'm aware, we're not planning to make SlowBuffer subclassable.
Could you or someone else link to an existing test that does a similar thing? |
@seishun Yes, I totally missed that, thanks. Perhaps we should hard-deprecate SlowBuffer whatsoever in another PR, then. Not sure yet about the target on that one, though, but I guess 7.0.0 could be fine, as there are not so many SlowBuffer users and those of them who wish to support 0.12 and older v4.x versions could just use the shim. That should be discussed, though. |
@seishun ... you can look at process.on('warning', (warning) => {
assert.strictEqual(warning.name, 'DeprecationWarning');
// etc...
}); |
const bufferDeprecationWarning = | ||
deprecate(() => {}, 'Using Buffer without `new` will soon stop working. ' | ||
'Use `new Buffer`, or preferably ' | ||
'Buffer.from, Buffer.allocUnsafe or Buffer.alloc instead.'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably do not mention allocUnsafe
?
if people need that they will find it I think :)
newBufferWarned = true; | ||
process.emitWarning( | ||
'Using Buffer without `new` will soon stop working. ' | ||
'Use `new Buffer`, or preferably ' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually since this will be in v7... maybe we should only recommend Buffer.from()
and Buffer.alloc()
(pref with the parenthesis?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That works for me misread the comment... see #8169 (comment) instead.
|
Yeah, I am in favor of reverting. The reactions we are hearing from outside of Node core make it pretty clear that a runtime deprecation for functionality like this is just too disruptive, and we’re not going to get away with it, possibly ever. |
Oh and since @Trott put this on the agenda (thanks!), ping @nodejs/ctc |
Could you link to some of these reactions, because I'm only seeing negative comments from other Node.js collaborators? |
@mafintosh @yoshuawuyts @substack have contributed to various wg's but afaik are not part of core |
To put that in perspective, there were 1193 packages that would affected by this in August (#8169 (comment)). Evidently most of their developers don't mind fixing their code, or their users don't mind the warning, or there are no users. |
@seisun how many are still a problem? also 7 has only been out for a couple weeks, and does not have mass adoption yet... we can expect way more problems with 8, especially when it goes Lts |
Maintained modules can be easily fixed. Unmaintained modules may have security issues or bugs, or they may simply be obsolete. So keeping old and insecure APIs just to keep unmaintained modules running will hurt the ecosystem long-term. Unmaintained things usually begin to decay, so building an ecosystem on them is not a great idea. Made by an unpaid volunteer or not, old code is old code. |
If we want to hard-deprecate It would be really unfortunate if folks started updating their code to use |
So I've been following this thread, and what isn't clear to me is from the security point of view, why you can't you just zero-fill buffers by default? Specifically, make |
I've been trying to think of a way forward on this that would allow us to maintain the existing uses of If we followed a pattern similar to: class BufferArray extends Uint8Array {
constructor(/*.. args ..*/) {
/* ... */
}
}
function Buffer(/* .. args ..*/) {
if (!(this instanceof Buffer))
return new Buffer(/* .. args ..*/);
return Reflect.construct(BufferArray, [/** args **/], new.target);
}
util.inherits(Buffer, BufferArray); Then calling There are obviously some details that would need to be worked out in this but, at the very least, it provides on possible option. |
@jasnell have you seen addaleax/node@ec09d43? It goes pretty much into the direction you’re describing, with tests passing and everything, it would just take a bit of work to match the current performance (because it currently creates unnecessary intermediate objects). (I’ve linked this before – in the other thread, I think – but I do see that these things can get a bit lost 😄) |
I think I am 1 on reverting as well |
@addaleax ... I think I saw the link at some point but I don't believe I'd actually seen the code. Will dig in more! Thank you! |
@jasnell I am -1 on introducing an extra class. Things are already complicated enough with Array, Buffer, ArrayBuffer and UintXArray. Please try to imagine yourself in the shoes of someone who is just getting familiar with JavaScript and Node.js. Backward compatibility is important, but it would be unfortunate to permanently increase complexity in order to avoid a temporary disruption. |
@jasnell I don't fully understand the Reflect thing but that seems like something that could work and not break things. |
@seishun If we do this right, the additional complexity will be limited to something that can be explained in a single sentence; namely, the only difference between And yeah, I’m not too keen on the name |
This reverts commit f2fe558 (nodejs#8169) as the original justification for the runtime-deprecation does not appear to justify the disruption to Node’s existing ecosystem. Futhermore, the possibility of deprecating the Buffer constructor entirely in v8.0 might lead to people having to change their code twice.
I would like to ask everyone who has commented here to move the discussion to #9531, if only so the public discussion can take in a central place and not over multiple GH threads at once. |
This reverts commit f2fe558 (#8169) as the original justification for the runtime-deprecation does not appear to justify the disruption to Node’s existing ecosystem. Futhermore, the possibility of deprecating the Buffer constructor entirely in v8.0 might lead to people having to change their code twice. PR-URL: #9529 Reviewed-By: Roman Reiss <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Nikolai Vavilov <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Rich Trott <[email protected]>
This reverts commit f2fe558 (#8169) as the original justification for the runtime-deprecation does not appear to justify the disruption to Node’s existing ecosystem. Futhermore, the possibility of deprecating the Buffer constructor entirely in v8.0 might lead to people having to change their code twice. PR-URL: #9529 Reviewed-By: Roman Reiss <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Nikolai Vavilov <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Checklist
make -j4 test
(UNIX), orvcbuild test nosign
(Windows) passesAffected core subsystem(s)
buffer
Description of change
Light version of #7152.
We want to make
Buffer
aclass
so that it can be subclassed. However, instantiating aclass
requiresnew
. This hard-deprecates callingBuffer
withoutnew
.