Skip to content

Conversation

@jwerre
Copy link
Contributor

@jwerre jwerre commented Oct 11, 2021

Replaced jshint with eslint as discussed in #27

@jwerre
Copy link
Contributor Author

jwerre commented Oct 11, 2021

I've add the following two lines to the lint config because I didn't want to mess with the code base too much.

      "no-control-regex": "off",
      "no-prototype-builtins": "off",

Ideally these are removed in the future.

Copy link
Member

@jankapunkt jankapunkt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added some detailed comments on things I haven't seen in detail before.
Also I'd like to know how you all think about moving away from var in favour of const and let?

.eslintrc Outdated
"error",
{
"vars": "all",
"args": "none",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think we should throw on unused args, at least the jshint did that before

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally don't think we should throw, it should be a warning.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I'd like to keep it this way. Though an arg may not be used it makes a function a bit more expressive when you can see what is available.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jwerre I thought this is thrown when an arg is defined but not used in the function body like so:

function dosomething (foo, bar) {
  console.log(foo) // bar is defined as arg but never used in the function
}

@HappyZombies
Copy link
Member

With eslint replacing jshint, it will close this PR #12

@jwerre
Copy link
Contributor Author

jwerre commented Oct 11, 2021

This "no-control-regex": "off" is the result of this line:

UNICODECHARNOCRLF: /^[\u0009|\u0020-\u007E|\u0080-\uD7FF|\uE000-\uFFFD|\u10000-\u10FFFF]+$/,

From what I can tell there are no tests for lib/validator/is.js at all. I'd like to remove the rule but we need to make some test for is.js first.

@jankapunkt
Copy link
Member

I will add the test and push it to this branch

@jankapunkt
Copy link
Member

jankapunkt commented Oct 12, 2021

I actually found a faulty usage of the RegExp 😱

the regex groupings use | as separater (logical or) but this should only be used in this way: (\u0009|\u0020) when used in this way [\u0009|\u0020] it actually accepts a | character. I am currently writing the tests in a way that we iterate all 1024 charcodes (generated), and for the UNICODECHARNOCRLF all supported ranges up to 1114111,so we can make sure these regex are working correct.

Fortunately I took a look at. Maybe we should report this to the original project back?

@jankapunkt
Copy link
Member

I updated the validator and it has now 100% coverage plus we test for all unicode charatcer ranges (valid and invalid ones) so there should be no false-positives or false-negatives sneak in anymore.

I wonder if this could be considered a security vulnerability? I mean it won't allow code injection (am I right?) but at least it would have allowed invalid characters and depending on where it's used could lead to issues.

@jankapunkt
Copy link
Member

jankapunkt commented Oct 12, 2021

I forgot to mention: the test now takes about 6 seconds 11 seconds, which is still not so good but I am not sure how otherwise test the full unicode ranges (including multiple chars) against the RegEx in shorter time...

I also mostly sticked to ES5 code style, although we could easily support ES6 without any issue (since we don't support these super old node versions, right!?) but I think it's better to have a later PR with update to ES6 or even do it when the time for Typescript comes.

@HappyZombies
Copy link
Member

Maybe we should report this to the original project back?

I mean we can, but as per usual, I guarantee nothing will be done about it.

It would be interesting what issues this Regex might raise if used incorrectly.

@HappyZombies HappyZombies added code quality 🧽 Relating to code quality dependencies 🔌 Pull requests that update a dependency file labels Oct 12, 2021
This was referenced Oct 12, 2021
@jwerre
Copy link
Contributor Author

jwerre commented Oct 12, 2021

@HappyZombies @jankapunkt I think were good to merge here.

@jankapunkt
Copy link
Member

From my end it's good I just wanted to @HappyZombies to take a look since I also worked on the code and hence am biased

Copy link
Member

@HappyZombies HappyZombies left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jwerre I left a comment stating that jshint should be npm uninstalled. Not sure if you missed it or I did this review incorrectly lol

@HappyZombies
Copy link
Member

Things look good but I want to do a more thorough review later today. Should have this merged by EOD though 👍

@HappyZombies
Copy link
Member

HappyZombies commented Oct 12, 2021

I am trying to run the linter but am getting the following error.

I am on Windows

Node -> v12.16.3

Error below.

PS node-oauth2-server> npm run pretest

> @node-oauth/[email protected] pretest /node-oauth2-server
> eslint lib test index.js


Oops! Something went wrong! :(

ESLint: 8.0.0

Error: Cannot find module '@eslint/eslintrc/universal'
Require stack:
- node-oauth2-server\node_modules\eslint\lib\linter\linter.js
- node-oauth2-server\node_modules\eslint\lib\linter\index.js
- node-oauth2-server\node_modules\eslint\lib\cli-engine\cli-engine.js
- node-oauth2-server\node_modules\eslint\lib\eslint\eslint.js
- node-oauth2-server\node_modules\eslint\lib\eslint\index.js
- node-oauth2-server\node_modules\eslint\lib\cli.js
- node-oauth2-server\node_modules\eslint\bin\eslint.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:957:15)
    at Function.Module._load (internal/modules/cjs/loader.js:840:27)
    at Module.require (internal/modules/cjs/loader.js:1019:19)
    at require (node-oauth2-server\node_modules\v8-compile-cache\v8-compile-cache.js:159:20)
    at Object.<anonymous> (node-oauth2-server\node_modules\eslint\lib\linter\linter.js:27:9)
    at Module._compile (node-oauth2-server\node_modules\v8-compile-cache\v8-compile-cache.js:192:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1153:10)
    at Module.load (internal/modules/cjs/loader.js:977:32)
    at Function.Module._load (internal/modules/cjs/loader.js:877:14)
    at Module.require (internal/modules/cjs/loader.js:1019:19)

Is this a Node 12 issue maybe? I will try it again with Node 14

@jwerre any clue?

@jwerre
Copy link
Contributor Author

jwerre commented Oct 12, 2021

hmmm... can you try deleting your node_modules and reinstalling? Also try running ./node_modules/.bin/eslint lib test index.js

@HappyZombies
Copy link
Member

I did do that, but I will try to delete the entire NPM cache, now I wonder if this a windows issue with version 8 lol.

@jwerre
Copy link
Contributor Author

jwerre commented Oct 12, 2021

I did do that, but I will try to delete the entire NPM cache, now I wonder if this a windows issue with version 8 lol.

Ya, sounds like a windows thing... can you spin up a Docker container?

@HappyZombies
Copy link
Member

Yeah works within Docker...imma make an issue on the ESLint project. I tried searching but get unrelated jest stuff

@HappyZombies
Copy link
Member

Either way I am bit hesitant now to accept it due to there possibly being an issue with Windows -- but I guess that's a risk we can take.

@HappyZombies
Copy link
Member

Oh wait let me try this.

Per their docs

Prerequisites: Node.js (^12.22.0, ^14.17.0, or >=16.0.0) built with SSL support. (If you are using an official Node.js distribution, SSL is always built in.)

I am running on Node v12.16.3

I got sidetracked with the Docker stuff lol.

BUT per #34, this means that we need a very specific version of Node now ...and not Node 10 :/

@HappyZombies
Copy link
Member

Yay version upgrade works! Went on v14.18.1

Copy link
Member

@HappyZombies HappyZombies left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jwerre left a comment on why no-console is off. Really don't understand why this would need to be off. Could seriously disrupt people who use this, and should be highly discouraged.

This was referenced Oct 13, 2021
This was referenced Oct 13, 2021
@HappyZombies HappyZombies merged commit c0196f3 into development Oct 13, 2021
@oklas
Copy link
Contributor

oklas commented Oct 13, 2021

I actually found a faulty usage of the RegExp 😱

the regex groupings use | as separater (logical or) but this should only be used in this way: (\u0009|\u0020) when used in this way [\u0009|\u0020] it actually accepts a | character.

Maybe we should report this to the original project back?

Really good catch. Of course we should.

@jwerre jwerre deleted the lint branch November 21, 2021 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

code quality 🧽 Relating to code quality dependencies 🔌 Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants