Regarding Buffer

[RyanZim]

A little background:

• new Buffer(size) is deprecated: https://nodejs.org/api/buffer.html#buffer_new_buffer_size
• Buffer.alloc() or Buffer.allocUnsafe() should be used instead, but it's not supported on Node.js v4.0.0-v4.5.0.
• Use Buffer.alloc() instead of deprecated new Buffer() in copy-file-sync #380 switched us to Buffer.alloc(). This was released in fs-extra v2.1.0
• People complained about the lack of Node v4.3.0 support: v2.1.0 fails on Node.js v4.0.0-v4.5.0 #390
• I reverted Use Buffer.alloc() instead of deprecated new Buffer() in copy-file-sync #380 in e02c07b, and released fs-extra v2.1.1 as a hotfix for this.

Now, what are we going to do moving forward? Using new Buffer() emits a deprecation warning in Node v7.0.0-v7.2.1.

I'm wondering if we shouldn't consider some sort of fallback solution.

---

Also, this brings up the security question that prompted Node to change the Buffer API in the first place: new Buffer returns an uninitialized buffer. Currently, we are not zero-filling it. I can't see how this could be exploited in the current implementation, but it would be good to have this reviewed.

If we do not need the buffer to be initialized, we should use Buffer.allocUnsafe, not Buffer.alloc, in later versions.

Atten: @jprichardson @manidlou @dr-dimitru

[jprichardson]

To get through this mess, we should create an internal function bufferAlloc that checks for Buffer.alloc if available, and falls back to new Buffer() if not. Thoughts?

[RyanZim]

To get through this mess, we should create an internal function bufferAlloc that checks for Buffer.alloc if available, and falls back to new Buffer() if not.

I agree, except should we be using alloc or allocUnsafe?

[jprichardson]

To err on the side of caution, my preference is alloc to prevent any potential security issues in the future. The only reason we'd need to use allocUnsafe is for performance, but it's my understanding the performance gains of allocUnsafe (not initializing mem to 0) are miniscule. It feels a little cargo-cultish, but I'm thinking alloc. This isn't a strong preference though and I could certainly be missing something in my analysis.

[RyanZim]

@jprichardson I'm fine with alloc, but we should use new Buffer().fill(0) as a fallback then.

[dr-dimitru]

Hi @jprichardson

Here is my snipped from #380 thread:

var _buffer = {
  allocUnsafe: function (len) {
    if (typeof Buffer.allocUnsafe === 'function') {
      try {
        // Node 4.4.* Buffer.allocUnsafe already exists, but throws exception in edge cases
        return Buffer.allocUnsafe(len);
      } catch (_error) {
        return new Buffer(len);
      }
    }
    return new Buffer(len);
  }
};

[jprichardson]

@RyanZim good point. Let's just go with allocUnsafe()

@dr-dimitru looks good!