Possible isolation violation

[o-rumiantsev]

Object.freeze() does not freeze objects recursively, so after Object.freeze(lib) it is still possible to change object properties of lib. https://github.com/HowProgrammingWorks/NodejsStarterKit/blob/a84aec703b79909cbed40df9e34d827b0fd3bc91/lib/application.js#L37 For example it is possible to break http.STATUS_CODES object

[tshemsedinov]

We can't just apply deepFreeze here because most of libraries hold state in deep data structures. Also there are js built-in classes/prototypes open for mix-ins and changes by user code. So this is a complex question, it can be solved by linter rules like this one: https://www.npmjs.com/package/eslint-plugin-prototype-pollution-security-rules or in other ways and need more research. For this starter kit we can keep it as is hoping that developers will care about the quality of their own code, but it's important issue for the future cloud platform. Thanks @o-rumiantsev and I hope you will not forget this issue in future :smile: