node-postgres icon indicating copy to clipboard operation
node-postgres copied to clipboard
verified publisher icon brianc

DeprecationWarning: Buffer() is deprecated due to security and usability issues

Open harry-chin opened this issue 5 years ago • 10 comments

└─┬ [email protected] └─┬ [email protected] └── [email protected]

This issue is happening because of using old version of pg-types module. Do you have a plan to update pgtypes to 3.x from 2.x? The latest version of pg-types is using new version of postgres-bytea and this issue has been fixed there.

harry-chin avatar Dec 03 '20 03:12 harry-chin

Oh yes I need to upgrade. I know there are some backwards incompatible changes which is why I've waited so long. I think I should schedule a [email protected] upgrade for some time in January and make it a bundle of breaking changes. @charmander got any other breaking changes that come to mind? I'd like to deprecate the "query queue" concept in 9.0 - add a deprecation warning if you queue a query while another one is still in flight. Thoughts?

brianc avatar Dec 03 '20 16:12 brianc

@brianc All of that sounds good! BigInt becoming the default value type for BIGINT is also something pg-types might be about to get. If you’re looking to bundle more breaking changes (I guess it’s good for getting people to look at the changelog!), thoughts on these?

  • No type-parsing defaults, meaning an unknown OID is an error instead of a string (or a binary buffer)?
  • Splitting the overloaded types query option (it’s an array of OIDs, but also a TypeParser) into incoming and outgoing types
  • Fully libpq-compatible connection string parsing (started at https://github.com/charmander/libpq-connection-string), with the key=value syntax + multiple hosts + matching sslmode=… behaviour (#2375, #2299) + service configuration (#416)
    • this one needs a deprecation step for things like ssl=1 and #2195

We can open issues to discuss them if they sound worth talking about!

Also, for pg-pool, there are breaking change ideas queued up, like returning client wrappers that stop working when they’re returned to the pool; those would also be waiting on a new major pg version eventually, so maybe they can be revisited too for this major.

charmander avatar Dec 03 '20 16:12 charmander

@vitaly-t Your “generic” package isn’t libpq-compatible. It’s MongoDB-compatible. release(true) is completely unrelated to what you quoted and I don’t feel like wasting time expanding on it for you.

charmander avatar Dec 09 '20 01:12 charmander

Is there any update on this? We get this warning on all our Lambda invocations and it's quite noisy.

How is the proposed upgrade to [email protected] progressing? Is there an issue I can follow for updates on that?

Does anyone know of a workaround? Would it be practical to update the 2.x branch of pg-types to update its postgres-bytea without doing the full pg@9 update for node-postgres, if that is not expected soon?

RichardBradley avatar Nov 14 '22 17:11 RichardBradley

Any plans to fix this? Whenever BYTEA is used on a node:lts image (node 18), I get an error log. Not so nice :-(

thmang82 avatar Jan 15 '23 15:01 thmang82

Want to do a bump in this. We've our monitor system flooded with console.error reporting this error, since we're using BYTEA a lot. Any chance to have this upgraded?

70nyIT avatar May 16 '24 12:05 70nyIT

Hey this issue is causing crashes for me (although due to an obscure & annoying mesh of dependencies that isn't really pg's fault). There is a bug in some versions of node: https://github.com/nodejs/node/issues/53075 that mean that the Buffer() deprecation warning instead crashes in WASM environments.

I'm using vercel (whose current node version (20.15.X) is currently vulnerable to the above bug and neondatabase that uses pg as a dependency.

Is there any idea when this might get addressed? I'll probably be looking for alternative solutions on my end anyway but thought it was worth bumping

danny-hunt avatar Jul 22 '24 18:07 danny-hunt

@danny-hunt You can add the newer version of pg-types as a dependency, then pass it to pg as the types property of the config.

charmander avatar Jul 22 '24 19:07 charmander

Hi there!

While I wait for a new release to fix how BYTEA is handled in node, I added these lines of code to my pg client initialization:

import PG from 'pg';

PG.types.setTypeParser(PG.types.builtins.BYTEA, function (value: string) {
  return value ? `0x${value.slice(2)}`.toLowerCase() : null;
});

This change prevents an error from being logged every time a BYTEA is read. I hope this helps!

fedecastelli avatar Jul 26 '24 07:07 fedecastelli

Also a good workaround. If you want to be compatible with the defaults, it’s

PG.types.setTypeParser(PG.types.builtins.BYTEA, (value: string) => Buffer.from(value, 'hex'));

charmander avatar Jul 27 '24 22:07 charmander