buffer: do deprecation warning outside node_modules

[addaleax]

In addition to --pending-deprecation, emit a deprecation warning
for usage of the Buffer() constructor for call sites that are outside
of node_modules.

The goal of this is to better target developers, rather than
burdening users with an omnipresent and quickly ignored warning.

This implements the result of a TSC meeting discussion
from March 22, 2018.

Refs: #19079 (comment)

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

fyi @nodejs/collaborators

(Fwiw, I would still prefer to not do this and/or wait until after the Node 10 release.)

[addaleax]

CI: https://ci.nodejs.org/job/node-test-pull-request/13817/
CI: https://ci.nodejs.org/job/node-test-commit/17093/

[vsemozhetbyt]

Nit: "warning is" or "warnings are"?

[ChALkeR]

This can now be updated to 19524 (here and below).

[ChALkeR]

The problem here is that this is not called once per process. It's called once per every new Buffer() call until it finds a one that is not inside node_process.

How long would 1k / 10k calls take?
Perhaps, bail out after 1k/10k per process if no other suggestions?

[addaleax]

Right – I switched to caching the function now.

I get ~ 16µs per call for this, so 10k calls would be 0.16 seconds.

(That’s a lot, yes.)

[seishun]

The goal of this is to better target developers, rather than burdening users with an omnipresent and quickly ignored warning.

There are many problems with this statement.

1. We decided to deprecate the Buffer constructor because it's problematic, and the arguments for that are relevant regardless of where the code is located. Not showing the warning for call sites inside node_modules means hiding a (likely large) part of the problem.
2. There is no evidence that a single-time warning is a significant burden for users, or that they "quickly ignore" it. At least I haven't seen such evidence having closely followed every Buffer-deprecation-related issue.
3. Many modules are not actively tested on the latest Node.js versions, which means the problematic code in them will never be fixed, since no users will see and report the warning.
4. Many applications and modules depend on old module versions, which means they'll continue running with problematic code even if all dependencies have been fixed long ago.

In addition, this behavior is surprising and inconsistent with other deprecation warnings. Imagine you're using Node.js for the first time, you copy some Buffer code from a module you're using (that doesn't print any warnings!) into your own code, and suddenly you get a warning. Then you spend a lot of time figuring out why it was not printed before, only to learn that it depends on the path to the file. That's not a great first impression.

[Trott]

@seishun You make some valid points. I'm only responding to the ones that I think could benefit from a broader context. I don't expect this to persuade you. Just informing the larger discussion.

There is no evidence that a single-time warning is a significant burden for users, or that they "quickly ignore" it. At least I haven't seen such evidence having closely followed every Buffer-deprecation-related issue.

As one of several people who have been running with export NODE_PENDING_DEPRECATION=1 set in my shell rc file, I can attest that the warnings end up everywhere for CLI tools. It is reasonable to conclude that most users will learn to ignore these messages completely.

Many modules are not actively tested on the latest Node.js versions, which means the problematic code in them will never be fixed, since no users will see and report the warning.

They will (hopefully) get fixed when the warnings are enabled for the contents of node_modules which will presumably happen in a later release.

[ChALkeR]

Infinity? Why? That would mean that a function that does new Buffer in a callback of e.g. express would not get the warning, correct? Shouldn't this check just the location of the file that does new Buffer()?

[ChALkeR]

Ah, disregard this one comment, I think I understand how this works now, sorry =).
Not deleting just to be double-sure.

[ChALkeR]

I still suggest bailing out after 10k attempts (which are about ~0.1 second).

[addaleax]

@ChALkeR I think it might be helpful if you could explain why you are both very much pro-deprecation and in favor of moving all code off the deprecated API, but at the same time want to keep the performance on the same level as it was before?

Like @mafintosh said, isn't the perf hit a good incentive to move away?

[ChALkeR]

@addaleax Because, according to the numbers you presented, this change has the potential of silently adding from 10x to 100x synchronous performance hit on some workloads (for buffers of size 1 KiB), which could affect streams and stuff like that significantly.

Presenting that performance hit to people without any warning (so they have no idea what's going on) could be pretty disruptive and can cause issues with real deployments out there.

In my opinion, a deprecation warning would be less disruptive than a 100x silent performance hit.

[lpinca]

They will (hopefully) get fixed when the warnings are enabled for the contents of node_modules which will presumably happen in a later release.

I'll repeat myself but in my opinion if we don't bug users and module authors in a way or another, nothing will be fixed and we'll just keep postponing the problem.

[mscdex]

I agree with @lpinca

[bmeck]

I have some concerns, we don't always develop our application code in a single top level package, we put various bootstrapping inside of node_modules including our server bootstrap. For cases where we have something like:

/app-logic
/app-logic/node_modules/server

Wouldn't this prevent deprecations coming from server which we update as a peer dependency essentially?

Also, wouldn't this cause problems if I had a parent directory containing node_modules such as /usr/local/lib/node_modules/ which is the default npm install -g directory on my machine? I would think running executables would be the most important place to give such deprecation.

[MylesBorins]

@mafintosh Would the top level completely solve your problems? One thought I have is that if we still warn for top level modules, individual module test suites could still be broken by this. If the suites are broken by the warning, they will not be able to actively test against the latest version.

That being said, this approach is likely to have less people opening issues against the modules due to the warnings, meaning that the errors could be fixed when they are encountered... which is far less disruptive.

Thoughts?

[mafintosh]

@MylesBorins I think I'm 👎. The main thing I see this solving is stopping people writing new modules with new Buffer. As I understand it, that was one of the main TSC reasons for doing the runtime deprecation now. With the approach taken as is, in this PR, users writing new modules with new Buffer will immediately get hit by the deprecation warning (I'm open to even start throwing here at some point!). I think we should give this approach a chance to work. It's not like userland isn't updating as it is, it's just a very slow and looooong process.

[mafintosh]

In addition the approach taken by @addaleax here has the added "benefit" of slowing down code running with new Buffer, which could be seen as an extra carrot for users to upgrade.

[MylesBorins]

@mafintosh did you mean to 👍🏽?

To be more explicit, are you in support of this approach? I personally think it is a good idea, but just wanted to confirm that the above concern wasn't an issue

[mafintosh]

@MylesBorins hehe sorry, I thought you asked me about @bmeck's comment. I'm 👍 on @addaleax's PR. I actually suggested this approach in the Buffer runtime thread

[addaleax]

Also, wouldn't this cause problems if I had a parent directory containing node_modules such as /usr/local/lib/node_modules/ which is the default npm install -g directory on my machine? I would think running executables would be the most important place to give such deprecation.

@bmeck Yes. For the npm install -g use case, this is intended (at least by me) -- CLIs are almost never vulnerable to the actual issue, and since we're not talking about "real" breakage of a feature, there doesn't seem to be a point in warning users about it.

Regarding the other condition, intentionally calling a directory node_modules as part of code management: No idea what to do about it, tbh. I kind of hope that it's rare enough to not matter in the big picture of things.

[mafintosh]

if require.main.filename contains node_modules, we should ignore that node_modules folder here. I know plenty of devs (including myself), that use a node_modules folder to contain all the dev code to make cross module development easier.

Something like:

const nodeModulesParent = require.main.filename.indexOf('/node_modules/') // add windows support
function isNodeModules (filename) {
  const i = filename.lastIndexOf('/node_modules/')
  return i !== -1 && i > nodeModulesParent
}

This has the added benefit of making deprecations show if you cd into node_modules and run a test fx (i do that a bunch as well)

[addaleax]

@mafintosh thanks, i'll look into it later, this makes sense!

I think we might adjust it abit because there might be different prefixes before /node_modules/ and we want to take care of backlashes as well, but generally this sgtm

[addaleax]

@mafintosh updated, please take a look!

[benjamingr]

Can you explain "it's likely"?

[addaleax]

@benjamingr You could do the same thing we're doing here, run something inside a vm context with a specified filename.

If there are more such edge cases, I'm not aware of those, but I'm not comfortable claiming there aren't any either :)

[jdalton]

👆 I little e.g. would help. like

e.g. 
`a/node_modules/b/node_modules/c/node_modules/d/d.js` would match 
`a/node_modules/b/node_modules/c/node_modules/`

[rvagg]

Yeah, I think I can dig this, I like the 10k cutoff as a way to lean-in given the heavy-handed way the /node_modules/ check is done. Gives us another dial to turn to increase the pressure more slowly than a binary deprecation. It'll be interesting to see if this causes a hit on microbenchmarks that people will inevitably apply to Node 10 when it goes live. 🤞 that TF+I improvements give us an equivalent boost to make it disappear in the general case.

[mcollina]

LGTM

[Trott]

Given @seishun's objections in #19524 (review) and assuming they have not been addressed/answered, this cannot land without a TSC vote. So I'm going to put this on the agenda for tomorrow. If we're going to do this, we should decide that promptly. If we are not going to do it, we should close this and figure out what we are going to do.

[BridgeAR]

@seishun I know you want to have a stricter version than the suggestion here. Instead of the TSC vote, do you not maybe want to accept this PR and open a own PR afterwards to make the deprecation stricter? I suggest that mainly out of fear that we might end up with no deprecation message at all in 10.x if nothing lands soon :/.

[seishun]

@BridgeAR Judging from the TSC meeting discussion from March 22, 2018, the only reason why TSC might reject this PR (which seems unlikely given 5 approvals on behalf of TSC) is if they decide to land #15346 instead. So I would like to keep my objection explicit.

But I'll be sure to update #15346 accordingly once/if this lands. :)

[mhdawson]

LGTM

[addaleax]

CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/1349/
CI: https://ci.nodejs.org/job/node-test-commit/17417/

[MylesBorins]

Rubber Stamp LGTM

[Trott]

TSC vote in the meeting today:

YES (10): @addaleax @Trott @targos @cjihrig @evanlucas @MylesBorins @mcollina @gibfahn @thefourtheye @ofrobots
NO (0)
ABSTAIN (0)

10 is enough to approve (19 members, so that's 50% + 1), so this can land.

[BridgeAR]

Landed in 9d4ab90 🎉 🎉 🎉