node icon indicating copy to clipboard operation
node copied to clipboard
verified publisher icon nodejs

node: warn for Object.prototype.__* accessors common in security warnings

Open bmeck opened this issue 4 years ago • 11 comments

These accessors cause too much noise in npm security audits for the ecosystem, we should start a path to removal. Figuring out/warning on usage seems a good first step prior to actual removal. This would also be a way to verify that a security audit warning actually is affecting something rather than being false positives. These are optional/legacy in the JS language specification https://tc39.es/ecma262/#sec-object.prototype-legacy-accessor-methods

bmeck avatar Aug 20 '21 20:08 bmeck

Here is a relevant discussion: https://github.com/nodejs/node/issues/31951

mcollina avatar Aug 21 '21 10:08 mcollina

CITGM results: https://ci.nodejs.org/job/citgm-smoker/nodes=ubuntu1804-64/2751/#showFailuresLink

Unfortunately, all modules that depend on node-gyp fail at install time because of another deprecation.

  • Affects ava, csv-parser, ember-cli through an old version of graceful-fs
  • Affects bluebird through the cli-table module: https://github.com/Automattic/cli-table/blob/89392b27224b6a0c4a71f3085d1bdb5e9b83df9d/lib/index.js#L62, https://github.com/Automattic/cli-table/blob/89392b27224b6a0c4a71f3085d1bdb5e9b83df9d/lib/index.js#L71
  • Affects body-parser through an old version of chalk
  • Affects clinic through tap-mocha-reporter: https://github.com/tapjs/tap-mocha-reporter/blob/5c8846fe3655aceb7ab104e5989b469b57601c00/lib/reporters/dot.js#L62
  • Seems to affect Prettier's TypeScript parser, but I can't find where it is in Prettier's repository: https://ci.nodejs.org/job/citgm-smoker/nodes=ubuntu1804-64/2751/testReport/junit/(root)/citgm/cheerio_v1_0_0_rc_10/
  • Affects crc32-stream through some version of yargs-parser
  • Affects commander through yargs: https://github.com/yargs/yargs/blob/395bb67749787d269cabe80ffc3133c2f6958aeb/index.cjs#L25-L43
  • Affects duplexer2, esprima through some version of commander
  • Affects express through cookie-session. The module is fixed but only in an alpha release.

I'm stopping here but there are many more.

targos avatar Aug 22 '21 08:08 targos

@targos added a guard

bmeck avatar Aug 22 '21 12:08 bmeck

@targos after some digging, a variety of those are all from the test reporter used: https://github.com/tapjs/tap-mocha-reporter/pull/68

bmeck avatar Aug 22 '21 13:08 bmeck

we have patched some stuff in the wild, we should run CITGM again

bmeck avatar Oct 28 '21 15:10 bmeck

https://github.com/tapjs/tap-mocha-reporter has landed a fix, we should be good to try a new CITGM to see what the status is in the ecosystem.

bmeck avatar Mar 04 '22 21:03 bmeck

CITGM smoker running https://ci.nodejs.org/job/citgm-smoker/2863/

bmeck avatar Mar 04 '22 21:03 bmeck

The last CITGM run reports 81 failures, which seems to be more or less the same as master. Maybe we could land this in v18.0.0?

@bmeck can you rebase please?

aduh95 avatar Apr 06 '22 14:04 aduh95

Have a newborn, won't be doing PR work for a few weeks

On Wed, Apr 6, 2022, 9:43 AM Antoine du Hamel @.***> wrote:

The last CITGM run reports 81 failures, which seems to be more or less the same as master. Maybe we could land this in v18.0.0?

@bmeck https://github.com/bmeck can you rebase please?

— Reply to this email directly, view it on GitHub https://github.com/nodejs/node/pull/39824#issuecomment-1090353490, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABZJI6MSA43X277Y32G53DVDWPHDANCNFSM5CQ7UVQQ . You are receiving this because you were mentioned.Message ID: @.***>

bmeck avatar Apr 06 '22 14:04 bmeck

Congrats!

mcollina avatar Sep 09 '22 21:09 mcollina

Was passing by here too. Nice one. Babies are so cute, and they don't have proto !

kapouer avatar Sep 09 '22 21:09 kapouer