compatibility with node --frozen-intrinsics security option

[timkuijsten]

(note: this is a dupe of #50, but with a clear focus on security)

I've started to use the node --frozen-intrinsics option on more and more projects as recommended by the Node.js Security Best Practices because it mitigates the risk of monkey patching.

When trying to run some 3rd party code that depends on depd it fails to start when the option is used:

~/foo $ node --frozen-intrinsics -e 'require("depd")("foo")'
/home/me/foo/node_modules/depd/index.js:268
  var file = callSite.getFileName() || '<anonymous>'
                      ^

TypeError: callSite.getFileName is not a function
    at callSiteLocation (/home/me/foo/node_modules/depd/index.js:268:23)
    at depd (/home/me/foo/node_modules/depd/index.js:109:14)
    at [eval]:1:16
    at runScriptInThisContext (node:internal/vm:143:10)
    at node:internal/process/execution:100:14
    at [eval]-wrapper:6:24
    at runScript (node:internal/process/execution:83:62)
    at evalScript (node:internal/process/execution:114:10)
    at node:internal/main/eval_string:30:3

Node.js v18.20.1

~/foo/node_modules/depd $ npm info

depd@2.0.0 | MIT | deps: none | versions: 17
Deprecate all the things
https://github.com/dougwilson/nodejs-depd#readme

keywords: deprecate, deprecated

dist
.tarball: https://registry.npmjs.org/depd/-/depd-2.0.0.tgz
.shasum: b696163cc757560d09cf22cc8fad1571b79e76df
.integrity: sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==
.unpackedSize: 27.1 kB

maintainers:
- dougwilson <doug@somethingdoug.com>

dist-tags:
latest: 2.0.0  

published over a year ago by dougwilson <doug@somethingdoug.com>

I was wondering what the current status is for supporting this option?

See also the discussion around the --disallow-code-generation-from-strings security option in #41.

[dougwilson]

I haven't looked at --frozen-intrinsics since Node.js 18 ar whichit was an experimental feature that Node.js itself said would break code and I asked about this and they confirmed there was no solution yet. I see in your example you are also using Node.js 18. Can you see if it works on the latest Node.js, perhaps? If they still haven't fixed it, I will ask the Node.js project again if there is a solution yet.

[timkuijsten]

$ ../node --frozen-intrinsics -e 'require("depd")("foo")'
/home/me/node-v20.14.0-linux-x64/bin/foo/node_modules/depd/index.js:268
  var file = callSite.getFileName() || '<anonymous>'
                      ^

TypeError: callSite.getFileName is not a function
    at callSiteLocation (/home/me/node-v20.14.0-linux-x64/bin/foo/node_modules/depd/index.js:268:23)
    at depd (/home/me/node-v20.14.0-linux-x64/bin/foo/node_modules/depd/index.js:109:14)
    at [eval]:1:16
    at runScriptInThisContext (node:internal/vm:209:10)
    at node:internal/process/execution:118:14
    at [eval]-wrapper:6:24
    at runScript (node:internal/process/execution:101:62)
    at evalScript (node:internal/process/execution:133:3)
    at node:internal/main/eval_string:51:3

Node.js v20.14.0

The only difference is that the feature is no longer experimental in Node.js v20. (fwiw v22.3.0 yields the same result as v20).

[dougwilson]

Ok, thanks. When I get home tonight I will file another bug report on Node.js to see what the the solution is or to re make them aware it is still broken.