Skip to content

doc: clarify the scope of --disallow-code-generation-from-strings#58328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
legendecas wants to merge 1 commit into
base:main
Choose a base branch
from
Open

doc: clarify the scope of --disallow-code-generation-from-strings#58328

legendecas wants to merge 1 commit into from
+7 −3

Conversation

@legendecas
Copy link
Member

@legendecaslegendecas commented May 14, 2025

Fixes: #58221

@nodejs-github-botnodejs-github-bot added cli Issues and PRs related to the Node.js command line interface. doc Issues and PRs related to the documentations. labels May 14, 2025
ChALkeR
ChALkeR suggested changes May 14, 2025
View reviewed changes
Copy link
Member

@ChALkeRChALkeR left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No.

Documenting the incomplete behavior and setting it in stone would be more problematic, I think.

Instead, #28614 should have respected this flag

Not doing that that is hardly helpful and makes this flag close to useless.
While doing that will very unlikely break anything.

Also the path of least surprise in the behavior is blocking data imports on that flag, like browsers do with CSP.

See also explanation in #58221

@legendecas
Copy link
MemberAuthor

legendecas commented May 14, 2025
edited
Loading

Node.js does not support CSP. This flag was originally exposed as a V8 flag, and documented in Node.js, only supporting guarding the listed APIs.

#28614 did nothing wrong as the flag was never meant to interfere module system, including require and import. Module APIs like module loaders (specifically the load hook, as it loads modules as source strings), require.extensions and CJS module._compile are all compiling module codes as string in JavaScript and I don't see it is possible to disable the whole module system for this flag.

@ChALkeR
Copy link
Member

ChALkeR commented May 14, 2025

cc @nodejs/tsc pls discuss this

aduh95
aduh95 requested changes May 15, 2025
View reviewed changes
Copy link
Contributor

@aduh95aduh95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a request for change so this doesn't land without @ChALkeR's objection getting dismissed by either Nikita or a TSC vote.

@legendecaslegendecas added the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label May 19, 2025
@legendecaslegendecas mentioned this pull request May 19, 2025
Closed
This was referenced May 25, 2025
Closed
Closed
@mhdawsonmhdawson mentioned this pull request Jun 8, 2025
Closed
RaisinTen
RaisinTen reviewed Jun 11, 2025
View reviewed changes
Copy link
Member

@RaisinTenRaisinTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commenting here too:
Not something that needs to be done here. To stress that this is a V8 option, we can move it under https://nodejs.org/api/cli.html#useful-v8-options.

@joyeecheung
Copy link
Member

joyeecheung commented Jun 11, 2025
edited
Loading

I think we should make it clear that it is a V8 flag and can change or be removed at any time. Node.js does not provide stability guarantee of this and it should not be used for security purposes. It only provides whatever V8 provides - it's okay to document what they are now the last time people checked, but we should also note that the documentation on the Node.js side may not be up to date.

If people are interested in a flag that does more than what the V8 flag does, IMO it's better to just implement a different flag that may or may not imply the V8 flag, depending on whether it's necessary/helpful.

@panva
Copy link
Member

panva commented Jun 11, 2025

There's no need to list things it doesn't affect so long as there is a definitive list of what it does affect.

To that end, being clear about the exact language features being disallowed is important, words such as "like" in the text should be removed and an exhaustive list of disallowed features needs to be present with no room for misinterpretation.

Expanding the scope of the flag to disallow more non-v8 covered features is possible in a follow up contribution.

@legendecaslegendecas removed the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Jun 13, 2025
@legendecaslegendecas mentioned this pull request Nov 2, 2025
Open
mcollina
mcollina approved these changes Nov 2, 2025
View reviewed changes
Copy link
Member

@mcollinamcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollinamcollina added the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Nov 2, 2025
This was referenced Nov 4, 2025
Closed
Closed
This was referenced Nov 13, 2025
Closed
Closed
@openjs-meetings-botopenjs-meetings-botbot mentioned this pull request Nov 27, 2025
Closed
@openjs-meetings-botopenjs-meetings-botbot mentioned this pull request Dec 4, 2025
Closed
This was referenced Dec 11, 2025
Closed
Closed
@openjs-meetings-botopenjs-meetings-botbot mentioned this pull request Dec 25, 2025
Closed
@openjs-meetings-botopenjs-meetings-botbot mentioned this pull request Jan 1, 2026
Open
@mcollinamcollina removed the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Jan 7, 2026
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RaisinTenRaisinTenRaisinTen left review comments

@aduh95aduh95aduh95 requested changes

@mcollinamcollinamcollina approved these changes

@anonriganonriganonrig approved these changes

@marco-ippolitomarco-ippolitomarco-ippolito approved these changes

+1 more reviewer

@ChALkeRChALkeRChALkeR requested changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

cliIssues and PRs related to the Node.js command line interface.docIssues and PRs related to the documentations.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

--disallow-code-generation-from-strings does not work as documented

10 participants

@legendecas@ChALkeR@joyeecheung@panva@mcollina@anonrig@aduh95@marco-ippolito@RaisinTen@nodejs-github-bot