Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency urlsafe-base64 uses Buffer unsafely #68

Closed
3 of 8 tasks
wmaltmann opened this issue Sep 18, 2023 · 2 comments · Fixed by #69
Closed
3 of 8 tasks

Dependency urlsafe-base64 uses Buffer unsafely #68

wmaltmann opened this issue Sep 18, 2023 · 2 comments · Fixed by #69

Comments

@wmaltmann
Copy link

NOTE: Please test in a least two browsers (i.e. Chrome and Firefox). This
helps with diagnosing problems quicker.

Setup

Please provide the following details, the more info you can provide the
better.

Operating System: AWS Lambda | Windows
Node Version: 18.10.0
web-push Version: 3.6.2
http-ece Version: 1.1.0

Please select any browsers that you are experiencing problems with:

  • Chrome
  • Firefox
  • Opera for Android
  • Samsung Internet Browser
  • Other - Edge

Please list the browsers you are have tested this, including the version
of the browser (i.e. Chrome Beta, Firefox Beta etc).

Problem

When calling web-push sendNotification in Node18 I see the following console error:

ERROR	(node:14) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
    at showFlaggedDeprecation (node:buffer:195:11)
    at new Buffer (node:buffer:279:3)
    at Object.decode (/var/task/index.js:490:68353)
    at Object.validatePublicKey (/var/task/index.js:493:8952)
    at sendNotification (/var/task/index.js:497:4174)
    ...

There is a similar, fixed issue, (web-push-libs/web-push#785) that handled removing direct calls to urlSafe-base64. There is also a urlSafe-base64 call http-ece that causes the same issue. Workaround was to pull dependency code into my project and fix the call in http-ece.

Expected

No console errors

Features Used

  • VAPID Support
  • GCM API Key
  • Sending with Payload

Example / Reproduce Case

Please provide a code sample that reproduces the issue. If there is a
repository that reproduces the issue please put the link here.

import webpush from "web-push";

webpush.sendNotification(subscription, payload);
@wmaltmann
Copy link
Author

Once this issues is fixed, web-push-libs/web-push#848 can pull in the updated dependency.

@marco-c marco-c mentioned this issue Dec 11, 2023
Closed
8 tasks
sbeesm added a commit to sbeesm/encrypted-content-encoding that referenced this issue Jan 8, 2024
@sbeesm
Remove urlsafe-base64 dependency
be5b297 
Use built-in methods to decode and encode base64.

Fixes web-push-libs#68.
@sbeesm sbeesm mentioned this issue Jan 8, 2024
Merged
@sbeesm
Copy link
Contributor

sbeesm commented Jan 8, 2024

Hello, I've opened a PR to fix this: #69, would appreciate any feedback or comments.

martinthomson added a commit that referenced this issue Jan 9, 2024
@martinthomson
Merge pull request #69 from sbeesm/#68-urlsafe-base64-buffer-fix
42b19d1 
Remove dependency urlsafe-base64
@sbeesm sbeesm mentioned this issue Jan 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove dependency urlsafe-base64 sbeesm/encrypted-content-encoding
2 participants
@wmaltmann @sbeesm