lib: deprecate _tls_common and _tls_wrap #57643
Conversation
|
Review requested:
|
nodejs-github-bot
added
lib / src
|
@BridgeAR I know you said that the runtime deprecation wasn't completely necessary but I really wanted to give it a shot (and I really like how it turned out 😄) I hope you don't mind 🙂 |
dario-piotrowicz
force-pushed
the
dario/deprecate_tls
branch
2 times, most recently
from
6d4746b to
50c51bd
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #57643 +/- ##
=======================================
Coverage 90.23% 90.24%
=======================================
Files 630 632 +2
Lines 185496 185475 -21
Branches 36367 36376 +9
=======================================
- Hits 167388 167375 -13
+ Misses 11000 10998 -2
+ Partials 7108 7102 -6
🚀 New features to boost your workflow:
|
dario-piotrowicz
force-pushed
the
dario/deprecate_tls
branch
from
9d8afa9 to
0643430
Compare
mcollina
added
request-ci
github-actions
bot
removed
the
request-ci
dario-piotrowicz
force-pushed
the
dario/deprecate_tls
branch
from
0643430 to
f09a338
Compare
runtime deprecate the _tls_common and _tls_wrap modules, users should use nust node:tls insteal and internally internal/tls/commond and internal/tls/wrap should be used instead
restrict exports of _tls_common and _tls_wrap modules
dario-piotrowicz
force-pushed
the
dario/deprecate_tls
branch
from
f09a338 to
15a47d9
Compare
| Type: Runtime | ||
|
|
||
| The `node:_tls_common` and `node:_tls_wrap` modules are deprecated as they should be considered | ||
| an internal nodejs implementation rather than a public facing API, use `node:tls` instead. |
There was a problem hiding this comment.
Just noting... it's an unfortunate truth that while these are deprecated we likely will never be able to actually remove them. See require('sys') ....
There was a problem hiding this comment.
oh I see.. that's pretty disappointing 🥲 (although I understand the security implications...)
I like your suggestion of throwing an error though, it'd be pretty nice if we could do that at some point 🙂
There was a problem hiding this comment.
mh... or maybe the _ modules could be removed at some point since npm doesn't support such modules anyways? 🤔
#26292 (comment)
https://github.com/npm/validate-npm-package-name?tab=readme-ov-file#naming-rules
🤔
There was a problem hiding this comment.
npm may not but an attacker could still locally inject a module which would still be problematic.
There was a problem hiding this comment.
oh I see what you mean... like with a postinstall script or something that drops an _ module in the node_modules right? 🤔
oh too bad then 😓 (but I am still hoping for the throwing idea! 😀)
This PR is for runtime deprecation of the
_tls_commonand_tls_wrapmodulesMy hope is to manage to gradually deprecate the various
_modules that are not documentedand that should not be part of node.js' public API (for more context see: #57540 (comment))
Interestingly as you can see:
common and wrap expose respectively:
SecureContextcreateSecureContexttranslatePeerCertificateand
TLSSocketServercreateServerconnectAll of these, seem to already being re-exported by
node:tls:node/lib/tls.js
Lines 389 to 394 in 186bbf7
the only exception being
translatePeerCertificate(which I am not really very familiar with, but by the looks of itseems like a rather simple function that can be re-implemented externally)
So I don't think that deprecating these modules should have huge impacts to users and that importing from
node:tlsinstead is a viable alternative@BridgeAR 🙂👍