New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Object.setPrototypeOf
as __proto__
could potentially be disabled
#387
Conversation
Note that this is a breaking change; as there are many old browsers that support It would be better to use something like the setprototypeof package, so it uses the newest technique available (which would also still work in the unlikely event of node removing dunder proto) |
@ljharb Chalk is not a browser package. |
lol fair, but s/browser/engine. node 0.10 and below don't have |
If it is considered breaking, that seems fine to neutral from my perspective, but I would prefer not to use the package which would add a dependency and have questionable gains. The last release in question on that node release line is from 2016 and has multiple known security issues. |
The gain is that by not being a breaking change, the fix you want will filter out to the maximum number of users quickly. You could certainly after that publish a major version that drops the dependency if you wanted. |
@ljharb I'd personally prefer the major over using the dependency given supply chain concerns and lack of clear reasons to continue support for engines with known major issues. |
I don’t understand “supply chain concerns”; chalk itself is a dependency too, and this PR works by the same mechanism. Whether to continue support for an engine or not is a separate decision - capriciously dropping support just to avoid adding a dep seems hostile to me, and in particular, antithetical to your goals of getting this PR out into the ecosystem. |
@ljharb My viewpoint is unchanged. I personally would not consider breakage in platforms that are out of the support matrix and their own support matrix as breaking changes. I do not think adding a dependency is a trivial matter but you might. I do not see any hostility, but if you wish to view my opinions as such you are free to frame them as you please. The goal of this PR is to prepare for situations where |
It also makes chalk brittle if someone deletes Object.setPrototypeOf, but that’s easily fixable, at least. |
Adding a dependency also adds some form of brittle-ness (registry going down / removal from registry / removal from disk / etc.). I don't see any major point to add to this discussion really. |
Chalk supports node 8 and above: Lines 9 to 11 in 797461e
|
It does look like a variety of other things being used are not available in node https://github.com/chalk/chalk/blob/master/source/templates.js#L29 |
@jridgewell ah, alright then - fair enough. |
In that case, |
I'll leave that to the maintainers, but existing usage in Lines 41 to 42 in 797461e
|
Fair enough as well. |
|
I don't understand how |
Just chiming in that there are a number of |
Don’t forget that Object.defineProperty(Object, "setPrototypeOf", {
configurable: true,
writable: true,
value: Function.prototype.call.bind(Object.getOwnPropertyDescriptor("__proto__").set)
}); |
Node 13.12.0 now ships with the flag to remove |
Object.setPrototypeOf
as __proto__
could potentially be disabled
If anyone wants to use Only recommended for forcing version 3 to 4. Lower versions might be a problem due to breaking changes. |
Due to CVEs and accidents, Node is thinking of allowing disabling
Object.prototype.__proto__
. This PR achieves the same functionality usingObject.setPrototypeOf
which does not suffer the same issues and removes a lint error.See: nodejs/node#31951