-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
require fallthrough behavior #11675
Comments
This behavior is the actual premise of Prior discussion: |
Completely or just for signed packages? |
@richardlau completely, but in particular this is an actual problem for signing. @Slayer95 not exactly, this is about intentional injection of files within a package's namespace, not intercepting the name of a package. If you look at the example and my comment the focus here differs since it is essentially preventing injection of
This is not like |
@bmeck Can you point to any information re. signing packages? I wrote the following but suspect I'm probably missing some context. What is a package? As far as Node.js is concerned (https://nodejs.org/dist/latest-v7.x/docs/api/modules.html#modules_modules):
Which is to say that currently Node.js has no notion of namespaces. One might assume a package is defined by |
@richardlau correct, currently this is a bit ambiguous in core; my use of the term mostly comes from As per signing, I am looking at various approaches but am leaning heavily towards https://github.com/dimich-g/webpackage . This is what I will be tackling after ESM. I bring up this issue now since it relates to the ESM import resolution algorithm. |
@bmeck This is still a thing that needs addressing and should remain open? Is there anything anyone who is not you could and should be doing on this at this time? |
I think we can close, cases in wild were found, so unsafe to remove.
Warning might be good though
<sub>refack: fixed typo and removed email quoted text</sub>
|
Maybe consider as a breaking change only WRT to signed packages, that is - signed packages will not resolve with fall through? |
@refack Are signed packages a thing yet? |
Closing per @bmeck. |
require()
has the ability to "fall through" multiple directories while searching for files.https://github.com/bmeck/node-require-fallthrough-example/blob/master/nested/index.js
Given a dir structure of:
dependent.js
has a surprising behavior ofIf any error in resolving the "main" of
child
occurs, the main ofroot
is used.EPERM on
child
also has fallthrough behavior.This means that you can place directories in parent
node_modules
to intercept requests for resources within a package. This should be discussed WRT signing packages and if we can remove this behavior.The main concern here is breakage vs falling through a potentially secure context into an unsigned context and vice versa.
The text was updated successfully, but these errors were encountered: