Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning message when there is an attempt to overwrite __proto__ #10222

Closed
josephrocca opened this issue Apr 17, 2021 · 3 comments
Closed

Warning message when there is an attempt to overwrite __proto__ #10222

josephrocca opened this issue Apr 17, 2021 · 3 comments
Labels
deno_core Changes in "deno_core" crate are needed suggestion suggestions for new features (yet to be agreed)

Comments

@josephrocca
Copy link
Contributor

josephrocca commented Apr 17, 2021
edited

@kitsonk In this comment you mentioned that you'd prefer not to throw an error when __proto__ is overwritten like foo.__proto__=bar (as opposed to setPrototypeOf). I wonder what you (and other Deno devs) think about throwing a one-off warning message instead?

I'm porting a tangle of browser code across (the node XMLHttpRequest polyfill using browserify, so that I can get Pyodide running in Deno) and just fixed a somewhat "silent" bug that was caused by this. Luckily I'd just created #10221 for curiosity's sake, so it was quicker to track down, but it still took me an hour because I didn't realise that there was another attempted __proto__ edit in the codebase. I imagine that some others won't have as easy a time, because it's definitly not obvious that __proto__ would be frozen in Deno, while being editable in browsers.

I think an error would actually make some sense - better to crash the server (and thus alert the admin) than have silent bugs lurking. But a console.warn would be a good middle ground perhaps.

Cheers!
@josephrocca
Copy link
Contributor Author

josephrocca commented Apr 17, 2021
edited

Also, perhaps the warning message could point developers to use setPrototypeOf instead? This saved the day for me, and I wouldn't had known about it unless I visited the __proto__ MDN page in desparation - I really didn't want to rewrite the browserify Buffer module.

@kitsonk kitsonk added deno_core Changes in "deno_core" crate are needed suggestion suggestions for new features (yet to be agreed) labels Apr 19, 2021
@bartlomieju
Copy link
Member

@josephrocca so you're suggesting to print a warning when a code like this is executed: foo.__proto__= bar;? I don't think that's really feasible

@josephrocca
Copy link
Contributor Author

josephrocca commented Jun 26, 2021
edited

@bartlomieju Yes - just the first time that something like that is attempted (future occurrences would be silent). But if it's not feasible, then I'll close this. I think overwriting __proto__ isn't common enough that this is a huge problem - so long as libraries/frameworks/tooling/etc. (like this) can transition to setPrototypeOf, then it shouldn't be too much of a problem. The "silentness" of the current situation is a bit worrying to me though - it's not obvious to a dev that they'd need to change this in their codebase when they move to Deno, and so could result in sneaky bugs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deno_core Changes in "deno_core" crate are needed suggestion suggestions for new features (yet to be agreed)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@josephrocca @kitsonk @bartlomieju