readable-stream@2 mutates core-util-is #24

kumavis · 2019-12-27T09:48:46Z

The current used version of readable-stream (v2) mutates the exports of core-util-is.

This is likely not intentional, but the side effect of a poorly constructed polyfill

/*<replacement>*/
var util = require('core-util-is');
util.inherits = require('inherits');
/*</replacement>*/

I'm building a plugin for browserify to reduce the risk of software supplychain attacks from the dependency graph. One of its protections is that is prevents the module.exports being mutated externally.

While I have seen this pattern with modules within a package, I haven't seen this pattern across packages, with the exception of this old version of readable-stream

I have verified this is resolved in v3

The text was updated successfully, but these errors were encountered:

kumavis · 2019-12-27T09:59:22Z

here it is in the most recent v2 commit (2018) https://github.com/nodejs/readable-stream/blob/b3cf9b1f46eaa1865930ae03b96d7a4a570746f0/lib/_stream_readable.js#L66-L69

kumavis · 2019-12-27T10:59:10Z

relevant PR for readable-stream@2 nodejs/readable-stream#423

idpaterson · 2020-01-14T22:09:11Z

Pull request nodejs/readable-stream#423 has been released in readable-stream@2.3.7

goto-bus-stop mentioned this issue Jan 25, 2020

Update to readable-stream 3.0.0 #18

Merged

kumavis closed this as completed Mar 27, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

readable-stream@2 mutates core-util-is #24

readable-stream@2 mutates core-util-is #24

kumavis commented Dec 27, 2019 •

edited

Loading

kumavis commented Dec 27, 2019

kumavis commented Dec 27, 2019

idpaterson commented Jan 14, 2020

readable-stream@2 mutates core-util-is #24

readable-stream@2 mutates core-util-is #24

Comments

kumavis commented Dec 27, 2019 • edited Loading

kumavis commented Dec 27, 2019

kumavis commented Dec 27, 2019

idpaterson commented Jan 14, 2020

kumavis commented Dec 27, 2019 •

edited

Loading