Remove Pause dependency by inlining stream buffering logic.#1059
Open
trustinpeace wants to merge 1 commit into
Open
Remove Pause dependency by inlining stream buffering logic.#1059trustinpeace wants to merge 1 commit into
trustinpeace wants to merge 1 commit into
Conversation
trustinpeace
force-pushed
the
pause-remove
branch
from
f5ca6b3 to
d679cac
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The pause package (0.0.1) is passport's only remaining production dependency that exists solely to support the optional pauseStream path
in SessionStrategy. The package was published in 2010, has not been updated since 2015, and has been effectively abandoned for a decade.
It is flagged as an operational risk in dependency audits that scan for stale packages.
pause is a small, self-contained utility — 30 lines — that buffers data and end events on a stream and replays them on demand. This patch inlines that logic directly into lib/strategies/session.js as a private pauseStream function, removing the external dependency entirely.
The public API and runtime behavior of the pauseStream option are unchanged.
What changed:
pauseStream(req)) is the only other change
longer exists) to direct behavioral tests using EventEmitter; added a test that verifies stream events buffered during async
deserialization are correctly replayed to later-registered listeners
unauthenticated requests, login/session establishment, session restoration with and without pauseStream, and body data replay to
on('data') listeners placed after passport middleware
Known limitation (pre-existing, not introduced by this patch): pipe-based body parsers such as express.urlencoded read from the stream's
internal buffer rather than EventEmitter events, so they are unaffected by pauseStream. This was equally true of pause@0.0.1.
Checklist
$ make test) executes successfully.$ make lint) executes successfully. (13 jshint failures in sessionmanager.js, authenticationerror.js, andhttp/request.js are pre-existing and unrelated to this change. lib/strategies/session.js — the only file modified by this patch lints cleanly.)