[WiP] buffer: runtime-deprecate buffer constructor in sync mode #22584
Conversation
ChALkeR
added
wip
nodejs-github-bot
added
buffer
| @@ -116,4 +116,7 @@ function setupNextTick(_setupNextTick, _setupPromises) { | |||
| tickInfo[kHasScheduled] = 1; | |||
| queue.push(new TickObject(callback, args, getDefaultTriggerAsyncId())); | |||
| } | |||
|
|
|||
| process.stillSynchronous = true; | |||
There was a problem hiding this comment.
This shouldn't expose undocumented things directly on process — that will change.
|
I'm +1 on trying this approach |
|
I'm +1 to this approach. (Just please don't spell out |
|
I am -1 to this approach unless it’s proven that the vast majority of affected modules are not showing the warning. I’m referring to old modules that have not been updated in ages. cc @mafintosh |
If the vast majority of affected modules are not showing the warning, then the warning is useless. |
I don't think that's even a correct question, to speak about affected modules. Modules provide APIs. Those could be sync or async, but most things happen directly on function calls (with some noticable exceptions, yes). Assuming that most of the code in real-world apps is async, I expect that this will hit much less applications than a full runtime deprecation would. This also will make sure that the warning doesn't unexpectedly show up during an application lifetime while it is running — only at start-up where in would most likely be noticed by the developer immediately. At the same time, that should affect some apps, and I anticipate that being enough to make the affected modules either drop their usage of unsafe Buffer constructor (hopefully not only in the affected sync codepath, but in all code), or migrate to other non-affected modules in the dependency chain in cases where unsupported modules are used. CITGM tests are of course needed though — knowing how much testcases would be hit by this should give hints if this really helps reducing the disturbance compared to a full runtime deprecation. I would appreciate any help with running this through CITGM btw. |
|
+1 on the approach |
|
I don't know if it's possible with the CI job, but when this is ready I'll try to run CITGM with |
|
Does anyone have a real-world example of a synchronous/first-tick @ChALkeR anyway you can share the updated ecosystem data with me? i'm curious to see what kind of newly published modules are using new Buffer. |
|
@mafintosh Done. You should have received an invitation. |
There was a problem hiding this comment.
I’m sorry, I can’t quite get behind this either and am -1 as well.
This will most likely not help with problematic usage, and I think it’s too early to judge the effects of our changes to Node 10 (warning outside node_modules) completely before it has been the main production environment.
That is, I do not think we should take any action on this topic in Node 11, or possibly ever.
seishun
added
the
tsc-agenda
|
Adding to the agenda because a decision needs to be made soon, otherwise we'll just run out of time. |
|
@seishun what do you think of the analysis in #21351 (comment)? It seems our current strategy is indeed working, and this is not needed after all. |
|
It seems to be working for new modules, but the purpose of this PR (and #21351) is to decrease the usage in existing modules. |
|
I didn't try with this change yet, but at https://github.com/nodejs/citgm/projects/2#column-3451048 you can see the list of modules tested by |
|
@targos, that doesn't affect real-life setups that are consuming those libs, because those end up in node_modules. This change will affect some consumers of the libs though, so what makes the difference here – how many setups would be affected? Hopefully not too much, but not zero - so that those issues would get noticed. Perhaps for the citgm testing of this proposal it would make sense to comment out / disable the check that always displays the warning outside of node_modules dir – that isn't relevant here and would not affect users, what is relevant is the warning that gets displayed even inside of node_modules. |
|
I'm -1 on this at this point for Node 11. I do not have a good sense of the concrete benefit and whether they out weight the negatives. |
|
Definite -1 for 11 |
|
-1 for 11 |
|
Abstaining. |
|
@Trott fair enough, it seems there is nothing else to discuss. |
Trott
removed
the
tsc-agenda
|
Ok, let's wait to see the usage evolves. |
|
Is it time to put this on the TSC agenda to discuss whether it would be permissible to land in 12.x or not? |
| @@ -147,6 +147,7 @@ function showFlaggedDeprecation() { | |||
| if (bufferWarningAlreadyEmitted || | |||
| ++nodeModulesCheckCounter > 10000 || | |||
| (!pendingDeprecation && | |||
| !process.stillSynchronous && | |||
There was a problem hiding this comment.
I imagine we need to update the comment below to reflect this.
|
@Trott I will try to take another look and see what changed over these months in a week or two. Let's delay until then. |
|
@rvagg Yes, I migrated everything to the new server, thanks! The last datapoint in those stats was for 2018-07-24, I will add two new datapoints: for 2018-11-12 and for 2019-01-28 (based on datasets created on the new server). I will try to do that later today or tomorrow, I guess. |
|
I have one more datapoint. Applications that use Buffer() in a hot path as a performance hit as isInsideNodeModules is expensive to compute. I’ve been actively seen those in real-world flamegraph since v10 became LTS. I think the slow-down strategy is somehow already been implemented. |
|
@mcollina this approach is not expected to add any visible additional slowdown. Slowdown being caused by #19524 was expected (and partially intentional?), and it is sure expected to appear on flamegraphs, but it is constrained, so it shouldn't cause issues in long-running apps like servers. See #19524 (comment), for example. |
|
@rvagg Ok, I have new data. In short: total affected packages count slowly grows, downloads/count normalized on today stats continues to drop (popular packages migrate off), but the actual downloads/month still seem to grow because of the fast overall ecosystem growth. I will add some more metrics (based on stats on different dates) in the next few days, also I'll look deeper inside the data (i.e. which are the top packages, are those false positives or not, how easy it is to fix them). |
|
Can I add to the record that I am permanently abstaining from any decision regarding the |
|
What should be done with this? Should this come up again for Node.js 12? |
|
Let's close this for now, might want to revisit later. |
This is a work in progress, temporarily alternative for #21351 for now.
Judging by the current situation, I think that #21351 would almost certainly not land in v11.0, but I hope this approach can (if ecosystem tests show that is ok, see below).
The idea is to reduce the number of warnings users see and make them reproducable, while still printing warnings for code inside of
node_modules, long-term plan being to land #21351 (or alternative) once it becomes viable in a sense that benefits outweight potential user disturbance (see refs below).The reasoning why we need this is that the current warnings for code outside of
node_modulesdo not help much in reducing the usage of unsafe buffer constructor — they do help by downloads/month metrics, but it that did not stop the number of modules using unsafe Buffer API from growing.See #21351 (comment) and #21351 (comment) for more info and reasoning.
This has to go through CITGM to check how this affects popular modules.
This is currently more like a proof-of-concept to test things around and not near being completed, so what we need now is to understand how would this affect user modules, and if we want something like this in 11.0. For that, I think that this should be enough and such things could be already tested given this code.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes/cc @nodejs/tsc, @targos @seishun @fhinkel @danbev @addaleax