Skip to content

stream: refactor duplexify to be less suceptible to prototype pollution#62559

Open
aduh95 wants to merge 1 commit intonodejs:mainfrom
aduh95:proto-null-duplexify
Open

stream: refactor duplexify to be less suceptible to prototype pollution#62559
aduh95 wants to merge 1 commit intonodejs:mainfrom
aduh95:proto-null-duplexify

Conversation

@aduh95
Copy link
Copy Markdown
Contributor

@aduh95 aduh95 commented Apr 2, 2026

With the __proto__: null, the JS engine has to look into e.g. %Object.prototype%.then when trying to resolve the promise

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 2, 2026

Review requested:

  • @nodejs/streams

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. stream Issues and PRs related to the stream subsystem. labels Apr 2, 2026
mcollina
mcollina approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@aduh95 aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Apr 2, 2026
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 2, 2026
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 2, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/72411/

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 2, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 87.50000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 89.71%. Comparing base (0dfdec9) to head (7930c68).
⚠️ Report is 5 commits behind head on main.

Files with missing lines Patch % Lines
lib/internal/streams/duplexify.js 87.50% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62559      +/-   ##
==========================================
- Coverage   89.71%   89.71%   -0.01%     
==========================================
  Files         695      695              
  Lines      214154   214154              
  Branches    41009    41006       -3     
==========================================
- Hits       192132   192118      -14     
- Misses      14075    14083       +8     
- Partials     7947     7953       +6
Files with missing lines Coverage Δ
lib/internal/streams/duplexify.js 96.56% <87.50%> (ø)

... and 23 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 2, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/72429/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljharb ljharb ljharb approved these changes

@mcollina mcollina mcollina approved these changes

@targos targos targos approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. needs-ci PRs that need a full CI run. stream Issues and PRs related to the stream subsystem.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@aduh95 @nodejs-github-bot @ljharb @mcollina @targos @marco-ippolito