Node-postgres: DeprecationWarning: Buffer() is deprecated due to security and usability issues

Created on 3 Dec 2020  Â·  4Comments  Â·  Source: brianc/node-postgres

└─┬ [email protected]
└─┬ [email protected]
└── [email protected]

This issue is happening because of using old version of pg-types module.
Do you have a plan to update pgtypes to 3.x from 2.x?
The latest version of pg-types is using new version of postgres-bytea and this issue has been fixed there.

picture harry-chin

All 4 comments

Oh yes I need to upgrade. I know there are some backwards incompatible changes which is why I've waited so long. I think I should schedule a [email protected] upgrade for some time in January and make it a bundle of breaking changes. @charmander got any other breaking changes that come to mind? I'd like to deprecate the "query queue" concept in 9.0 - add a deprecation warning if you queue a query while another one is still in flight. Thoughts?

brianc picture brianc on 3 Dec 2020

@brianc All of that sounds good! BigInt becoming the default value type for BIGINT is also something pg-types might be about to get. If you’re looking to bundle more breaking changes (I guess it’s good for getting people to look at the changelog!), thoughts on these?

  • No type-parsing defaults, meaning an unknown OID is an error instead of a string (or a binary buffer)?
  • Splitting the overloaded types query option (it’s an array of OIDs, but also a TypeParser) into incoming and outgoing types
  • Fully libpq-compatible connection string parsing (started at https://github.com/charmander/libpq-connection-string), with the key=value syntax + multiple hosts + matching sslmode=… behaviour (#2375, #2299) + service configuration (#416)

    • this one needs a deprecation step for things like ssl=1 and #2195

We can open issues to discuss them if they sound worth talking about!

Also, for pg-pool, there are breaking change ideas queued up, like returning client wrappers that stop working when they’re returned to the pool; those would also be waiting on a new major pg version eventually, so maybe they can be revisited too for this major.

charmander picture charmander on 3 Dec 2020
👎1

BigInt becoming the default value type

That's gonna wreck havoc, imo.

libpq-compatible connection string parsing (started at

Not again, for the 100-th time,... why won't just use the generic connection-string again?

returning client wrappers that stop working when they’re returned to the pool

Hasn't this been there for ages, releasing the pool connection with release(true)? the boolean tells the pool to terminate the connection.

vitaly-t picture vitaly-t on 9 Dec 2020
👎1

@vitaly-t Your “generic” package isn’t libpq-compatible. It’s MongoDB-compatible. release(true) is completely unrelated to what you quoted and I don’t feel like wasting time expanding on it for you.

charmander picture charmander on 9 Dec 2020
👎1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ClueLessEggHead picture ClueLessEggHead  Â·  3Comments
frmoded picture frmoded  Â·  3Comments
tonylukasavage picture tonylukasavage  Â·  4Comments
KeynesYouDigIt picture KeynesYouDigIt  Â·  3Comments
v1co1n picture v1co1n  Â·  4Comments