Uses a version of Node that differs from Node version installed

[rschristian]

Summary

Unfortunately it seems that coc-tsserver is using a version of Node that differs from my own, so it offers suggestions and doesn't raise a warning on modules that don't exist in the version of Node in use.

Reproduction

Using Node v14.x (or earlier):

• Add import { webcrypto } from 'crypto'; to a index.mjs file
• Notice no warnings
• Run node index.mjs
• Notice the following error:

  import { webcrypto } from 'crypto';
       ^^^^^^^^^
  SyntaxError: The requested module 'crypto' does not provide an export named 'webcrypto'
  at ModuleJob._instantiate (internal/modules/esm/module_job.js:121:21)
  at async ModuleJob.run (internal/modules/esm/module_job.js:166:5)
  at async Loader.import (internal/modules/esm/loader.js:178:24)
  at async Object.loadESM (internal/process/esm_loader.js:68:5)

The error is entirely correct, webcrypto was added in Node v15.0.0. So why is coc-tsserver not showing errors here?

I should note that everything works as expected if I try to use a named export that exists in no version of Node, like foo:

System Information

• :CocInfo output:

  
  ## versions

vim version: NVIM v0.5.1 node version: v14.17.4 coc.nvim version: 0.0.80-7904a9e7df coc.nvim directory: /home/name/.vim/plugged/coc.nvim term: alacritty platform: linux

- `:checkhealth` output

Node.js provider (optional)

• INFO: Node.js: v14.17.4
• INFO: Nvim node.js host: /home/name/.config/yarn/global/node_modules/neovim/bin/cli.js
• OK: Latest "neovim" npm/yarn package is installed: 4.10.0

Certainly let me know if I can/should provide more information, I'm just guessing on what might be useful to track this down.

[fannheyward]

I think it's not related the Node.js version, but the @types/node.

In my tests, put your cursor on webcrypto, gd jump to definition to goto ~/Library/Caches/typescript/4.4/node_modules/@types/node/crypto.d.ts.

Have no idea where this cache file came from, maybe Typescript/tsserver will generate this ?

[rschristian]

Having had a bit more time to investigate, this is quite disastrous.

It seems coc-tsserver grabs the latest definitions from DefinitelyTyped, rather than the actual version in use for all modules. I just skirted a very serious security issue that arose due to being shown a type definition for a function that did not match the version I was using.

While this is a rare situation no doubt, there's absolutely no way to trust the types shown by this extension while automatic type acquisition is enabled at the moment. Definitely would recommend disabling:

tsserver.disableAutomaticTypeAcquisition