Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: remove safe-buffer #144

Merged
merged 3 commits into from
Aug 3, 2018
Merged

chore: remove safe-buffer #144

merged 3 commits into from
Aug 3, 2018

Conversation

JustinBeckwith
Copy link
Contributor

No description provided.

@JustinBeckwith JustinBeckwith requested review from a team July 26, 2018 01:16
@ghost ghost assigned JustinBeckwith Jul 26, 2018
@codecov
Copy link

codecov bot commented Jul 26, 2018
edited
Loading

Codecov Report

Merging #144 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@          Coverage Diff          @@
##           master   #144   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files           5      5           
  Lines         646    645    -1     
=====================================
- Hits          646    645    -1
Impacted Files Coverage Δ
src/entity.js 100% <ø> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 77c487c...7bdb4e5. Read the comment docs.

@ofrobots
Copy link
Contributor

Shouldn't we be going the other way around? We need to have a safety net as it is very easy to use Buffer insecurely.

An alternative safety net would be to use the eslint rule no-buffer-constructor for JavaScript. I can't find a similar rule in tslint yet, but there might be a contrib rule here or this feature request. In the meanwhile shouldn't we ban the use of Buffer directly?

@JustinBeckwith
Copy link
Contributor Author

@ofrobots we now have --throw-deprecation turned on for tests, and buffer constructors are deprecated in node 10. Do you think that's enough?

@ofrobots
Copy link
Contributor

ofrobots commented Aug 2, 2018

👍. That approach solves the Buffer constructor problem well.

Side note, generalizing: it seems like someone needs to go write a set of security oriented plugins for tslint as a counter part to eslint-plugin-security. Alternatively, perhaps we can run that plugin on the code generated by tsc?

@JustinBeckwith
Copy link
Contributor Author

Let me take that question one step further. Why does tslint need to exist? Wouldn't it make more sense to extend eslint with the ability to parse TypeScript, and apply a TypeScript plugin pack?

@ofrobots
Copy link
Contributor

ofrobots commented Aug 2, 2018

Good question. tslint is more capable because it leans on the compiler for more accurate analysis. I would expect that eslint would 1) not want to depend on the compiler, 2) not want to reimplement typescript and 3) be generally less capable as a result.

@JustinBeckwith JustinBeckwith merged commit bac3413 into googleapis:master Aug 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ofrobots ofrobots ofrobots approved these changes

Assignees

@JustinBeckwith JustinBeckwith

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JustinBeckwith @ofrobots