search

browserify / stream-browserify

the stream module from node core for browsers
MIT License
103 stars 42 forks source link

readable-stream@2 mutates core-util-is #24

Closed kumavis closed 4 years ago

kumavis commented 4 years ago

The current used version of readable-stream (v2) mutates the exports of core-util-is.

This is likely not intentional, but the side effect of a poorly constructed polyfill

/*<replacement>*/
var util = require('core-util-is');
util.inherits = require('inherits');
/*</replacement>*/

I'm building a plugin for browserify to reduce the risk of software supplychain attacks from the dependency graph. One of its protections is that is prevents the module.exports being mutated externally.

While I have seen this pattern with modules within a package, I haven't seen this pattern across packages, with the exception of this old version of readable-stream

I have verified this is resolved in v3

kumavis commented 4 years ago

here it is in the most recent v2 commit (2018) https://github.com/nodejs/readable-stream/blob/b3cf9b1f46eaa1865930ae03b96d7a4a570746f0/lib/_stream_readable.js#L66-L69

kumavis commented 4 years ago

relevant PR for readable-stream@2 https://github.com/nodejs/readable-stream/pull/423

idpaterson commented 4 years ago

Pull request nodejs/readable-stream#423 has been released in readable-stream@2.3.7