Avoid using monkey-patching and look for a long-term solution

[bjohansebas]

Problem

The current problem lies in the fact that several packages maintained by Express have to perform monkey-patching on properties (especially of OutgoingMessage) in order to work. For example, compression does monkey-patching on res.on, res.write, res.writeHead (which is overwritten using a package called on-headers maintained by Express, I’ll talk more about this below), and res.end to handle the transition from a regular stream to a gzip stream.
express-session performs monkey-patching to store the session and handle various logic, and also reuses on-headers.
This leads to issues like expressjs/compression#46, expressjs/compression#135 expressjs/session#1037, expressjs/morgan#315, which arose due to monkey-patching. As far as I know, there are no clean solutions at the moment.

Additionally, a recent security issue came up with on-headers, again due to monkey-patching. This module was implemented several years ago, and Node.js has since made multiple changes to writeHead, which led to the vulnerability.
from the Express side, we’d like to move away from using this package, because we shouldn’t be doing monkey-patching in the first place. However, this package is a dependency for several important modules like compression, express-session, and community-maintained packages.

Possible solution

There have been discussions in the Express project about how to stop using on-headers and how to avoid monkey-patching other properties. The closest approach would be to introduce hooks into the Express core, similar to the ones Fastify provides, but that solution would be limited to Express only. This isn’t ideal because the broader ecosystem would still rely on monkey-patching those properties, and changes like this would mean that important middleware such as compression and other modules would only work with Express.

The idea with this issue is to propose a solution in Node.js core to definitively solve this problem and be able to deprecate on-headers.

cc: @nodejs/web-server-frameworks @nodejs/http (Sorry for the ping, but you have more knowledge about what could be done to solve this in the core)

[mcollina]

Here is more interesting part: we can't change too much the http stack of Node.js to avoid breaking Express, so fixing this seems an impossible conundrum.

Hooks and a clear lifecycle is the most performant solution that would work. At this point.. I wonder how much it would differ from Fastify.

[bjohansebas]

How much could it change in terms of functionality? How could that break Express? So far, this is the feature that’s most needed to completely stop doing monkey patching and that doesn’t have a direct solution within Node.js.

We’re trying to document all the monkey patching that Express does in expressjs/express#6669.