egg - npm Package Compare versions

Comparing version 3.33.0 to 3.33.1

lib/core/utils.js

@@ -10,2 +10,3 @@ 'use strict';
   safeParseURL,
+  createTransparentProxy,
 };
@@ -94,1 +95,116 @@
 }
+
+/**
+ * Create a Proxy that behaves like the real object, but remains transparent to
+ * monkeypatch libraries (e.g. defineProperty-based overrides).
+ *
+ * - Lazily creates the real object on first access.
+ * - Allows overriding properties on the proxy target (overlay) to take effect.
+ * - Delegates everything else to the real object.
+ *
+ * @param {Object} options
+ * @param {Function} options.createReal Create the real object (lazy)
+ * @param {boolean} [options.bindFunctions=true] Bind real methods to the real object
+ * @return {Proxy}
+ */
+function createTransparentProxy({ createReal, bindFunctions = true }) {
+  if (typeof createReal !== 'function') {
+    throw new TypeError('createReal must be a function');
+  }
+
+  let real = null;
+  let error = null;
+  let initialized = false;
+
+  const init = () => {
+    if (initialized) {
+      if (error) throw error;
+      return;
+    }
+    initialized = true;
+    try {
+      real = createReal();
+    } catch (err) {
+      error = err;
+      throw err;
+    }
+  };
+
+  return new Proxy({}, {
+    get(target, prop, receiver) {
+      init();
+      // Check if property is defined on proxy target (monkeypatch overlay)
+      if (Object.getOwnPropertyDescriptor(target, prop)) {
+        return Reflect.get(target, prop, receiver);
+      }
+      const value = real[prop];
+      if (bindFunctions && typeof value === 'function') {
+        return value.bind(real);
+      }
+      return value;
+    },
+
+    set(target, prop, value, receiver) {
+      init();
+      if (Object.getOwnPropertyDescriptor(target, prop)) {
+        return Reflect.set(target, prop, value, receiver);
+      }
+      return Reflect.set(real, prop, value);
+    },
+
+    has(target, prop) {
+      init();
+      return prop in target || prop in real;
+    },
+
+    ownKeys(target) {
+      init();
+      const keys = new Set([ ...Reflect.ownKeys(real), ...Reflect.ownKeys(target) ]);
+      return Array.from(keys);
+    },
+
+    getOwnPropertyDescriptor(target, prop) {
+      init();
+      return Object.getOwnPropertyDescriptor(target, prop)
+        || Object.getOwnPropertyDescriptor(real, prop);
+    },
+
+    deleteProperty(target, prop) {
+      init();
+      if (Object.getOwnPropertyDescriptor(target, prop)) {
+        return delete target[prop];
+      }
+      return delete real[prop];
+    },
+
+    getPrototypeOf() {
+      init();
+      return Object.getPrototypeOf(real);
+    },
+
+    setPrototypeOf(_target, proto) {
+      init();
+      return Reflect.setPrototypeOf(real, proto);
+    },
+
+    isExtensible() {
+      init();
+      return Reflect.isExtensible(real);
+    },
+
+    preventExtensions(target) {
+      init();
+      // Must also prevent extensions on target to satisfy Proxy invariants
+      const result = Reflect.preventExtensions(real);
+      if (result) {
+        Reflect.preventExtensions(target);
+      }
+      return result;
+    },
+
+    defineProperty(target, prop, descriptor) {
+      // Used by monkeypatch libs: keep overrides on proxy target (overlay layer).
+      return Reflect.defineProperty(target, prop, descriptor);
+    },
+  });
+}

lib/egg.js

@@ -319,36 +319,7 @@ const { performance } = require('perf_hooks');
     };
-    return new Proxy({}, {
-      get(_target, prop) {
+    return utils.createTransparentProxy({
+      createReal() {
         init();
-        const value = realClient[prop];
-        if (typeof value === 'function') {
-          return value.bind(realClient);
-        }
-        return value;
+        return realClient;
       },
-      set(_target, prop, value) {
-        init();
-        realClient[prop] = value;
-        return true;
-      },
-      has(_target, prop) {
-        init();
-        return prop in realClient;
-      },
-      ownKeys() {
-        init();
-        return Reflect.ownKeys(realClient);
-      },
-      getOwnPropertyDescriptor(_target, prop) {
-        init();
-        return Object.getOwnPropertyDescriptor(realClient, prop);
-      },
-      deleteProperty(_target, prop) {
-        init();
-        return delete realClient[prop];
-      },
-      getPrototypeOf() {
-        init();
-        return Object.getPrototypeOf(realClient);
-      },
     });
@@ -355,0 +326,0 @@ }

package.json

 {
   "name": "egg",
-  "version": "3.33.0",
+  "version": "3.33.1",
   "publishConfig": {
@@ -5,0 +5,0 @@ "tag": "release-3.x",

New alerts

Network access

Supply chain risk

This module accesses the network.

Found 3 instances in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 3 instances in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Fixed alerts

Network access

Supply chain risk

This module accesses the network.

Found 3 instances in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 3 instances in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

160941

1.48%

Lines of code

4532

1.64%

Worsened metrics

Number of low supply chain risk alerts

23

4.55%

No dependency changes