Skip to content

doc: clarify the scope of --disallow-code-generation-from-strings #58328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

doc: clarify the scope of --disallow-code-generation-from-strings #58328

wants to merge 1 commit into from
+7 −3

Conversation

legendecas
Copy link
Member

Fixes: #58221

@nodejs-github-bot nodejs-github-bot added cli Issues and PRs related to the Node.js command line interface. doc Issues and PRs related to the documentations. labels May 14, 2025
ChALkeR
ChALkeR suggested changes May 14, 2025
View reviewed changes
Copy link
Member

@ChALkeR ChALkeR left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No.

Documenting the incomplete behavior and setting it in stone would be more problematic, I think.

Instead, #28614 should have respected this flag

Not doing that that is hardly helpful and makes this flag close to useless.
While doing that will very unlikely break anything.

Also the path of least surprise in the behavior is blocking data imports on that flag, like browsers do with CSP.

See also explanation in #58221

@legendecas
Copy link
Member Author

legendecas commented May 14, 2025
edited
Loading

Node.js does not support CSP. This flag was originally exposed as a V8 flag, and documented in Node.js, only supporting guarding the listed APIs.

#28614 did nothing wrong as the flag was never meant to interfere module system, including require and import. Module APIs like module loaders (specifically the load hook, as it loads modules as source strings), require.extensions and CJS module._compile are all compiling module codes as string in JavaScript and I don't see it is possible to disable the whole module system for this flag.

@ChALkeR
Copy link
Member

ChALkeR commented May 14, 2025

cc @nodejs/tsc pls discuss this

aduh95
aduh95 requested changes May 15, 2025
View reviewed changes
Copy link
Contributor

@aduh95 aduh95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a request for change so this doesn't land without @ChALkeR's objection getting dismissed by either Nikita or a TSC vote.

@legendecas legendecas added the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label May 19, 2025
@legendecas legendecas mentioned this pull request May 19, 2025
Closed
This was referenced May 25, 2025
Closed
Closed
@mhdawson mhdawson mentioned this pull request Jun 8, 2025
Open
RaisinTen
RaisinTen reviewed Jun 11, 2025
View reviewed changes
Copy link
Member

@RaisinTen RaisinTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commenting here too:
Not something that needs to be done here. To stress that this is a V8 option, we can move it under https://nodejs.org/api/cli.html#useful-v8-options.

@joyeecheung
Copy link
Member

joyeecheung commented Jun 11, 2025
edited
Loading

I think we should make it clear that it is a V8 flag and can change or be removed at any time. Node.js does not provide stability guarantee of this and it should not be used for security purposes. It only provides whatever V8 provides - it's okay to document what they are now the last time people checked, but we should also note that the documentation on the Node.js side may not be up to date.

If people are interested in a flag that does more than what the V8 flag does, IMO it's better to just implement a different flag that may or may not imply the V8 flag, depending on whether it's necessary/helpful.

@panva
Copy link
Member

panva commented Jun 11, 2025

There's no need to list things it doesn't affect so long as there is a definitive list of what it does affect.

To that end, being clear about the exact language features being disallowed is important, words such as "like" in the text should be removed and an exhaustive list of disallowed features needs to be present with no room for misinterpretation.

Expanding the scope of the flag to disallow more non-v8 covered features is possible in a follow up contribution.

@legendecas legendecas removed the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Jun 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RaisinTen RaisinTen

@ChALkeR ChALkeR

@aduh95 aduh95

@anonrig anonrig

@marco-ippolito marco-ippolito

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
cli Issues and PRs related to the Node.js command line interface. doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

--disallow-code-generation-from-strings does not work as documented
9 participants
@legendecas @ChALkeR @joyeecheung @panva @anonrig @aduh95 @marco-ippolito @RaisinTen @nodejs-github-bot