Node: v8.deserialize triggers Buffer constructor deprecation warning
- Version: Observed on 10.4.0, presumably occurs on all 10+
- Platform: All
Deserializing a representation of an expression that contained a Buffer displays(node:15176) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Reproduce withv8.deserialize(v8.serialize(Buffer.alloc(0))).
It looks like DefaultDeserializer ._readHostObject() needs a special case for buffers.
Conduitry
All 7 comments
@nodejs/v8 @nodejs/buffer
Trott
on 7 Jun 2018
@Conduitry line to be blamed for this: https://github.com/nodejs/node/blob/c9d9bf1cb06a9f490669b107a28eb9c628aeeb23/lib/v8.js#L189
/cc @nodejs/buffer @ChALkeR do we break character and hide the warning? I hope not. There's got to be a way to achieve the same functionality without using the Buffer constructor.
ryzokuken
on 7 Jun 2018
Like this? :)
diff --git a/lib/v8.js b/lib/v8.js
index ed93b094ca78..0d9ffc6033ce 100644
--- a/lib/v8.js
+++ b/lib/v8.js
@@ -144,5 +144,5 @@ const arrayBufferViewTypeToIndex = new Map();
}
-const bufferConstructorIndex = arrayBufferViewTypes.push(Buffer) - 1;
+const bufferConstructorIndex = arrayBufferViewTypes.push(FastBuffer) - 1;
class DefaultSerializer extends Serializer {
addaleax
on 7 Jun 2018
@addaleax we have a drop-in, secure replacement for Buffer? I didn't know. Will make a patch.
ryzokuken
on 7 Jun 2018
@ryzokuken It鈥檚 not really drop-in because it only takes Uint8Array-style arguments, but that鈥檚 not an issue here, right?
addaleax
on 7 Jun 2018
Exactly. The arguments are literally being passed into an Uint8Array, so that's definitely not a problem.
ryzokuken
on 7 Jun 2018
This looks good now in 10.5.0 :+1:
Conduitry
on 21 Jun 2018
Related issues
Icemic
路
3Comments
seishun
路
3Comments
danielstaleiny
路
3Comments
fanjunzhi
路
3Comments
stevenvachon
路
3Comments
Most helpful comment
This looks good now in 10.5.0 :+1: