Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deno support #18

Open
oscarotero opened this issue Jan 12, 2023 · 7 comments
Open

Deno support #18

oscarotero opened this issue Jan 12, 2023 · 7 comments

Comments

@oscarotero
Copy link

Hi.
Some packages, like tailwindcss use detective as a dependency. And detective depends on acorn-node, a library that doesn't work on Deno because it uses the highly discouraged __proto__ object property. I've created a version of acorn-node replacing the __proto__ deprecated feature with Object.getPrototypeOf() and Object.setPrototypeOf(): https://www.npmjs.com/package/@lumeland/acorn-node

I suggest to update acorn-node so it would work fine in Deno environment.

FYI, I've created also a detective and tailwind temporary packages that will be deprecated if you update this package.

Thanks!
@ljharb
Copy link
Member

ljharb commented Jan 12, 2023

Why would acorn-node need changes to work with "not node"?

Either way, I don't see any usage of dunder proto in this repo: https://github.com/search?q=repo%3Abrowserify%2Facorn-node%20__proto__&type=code

@goto-bus-stop
Copy link
Member

the setprototypeof dependency may use __proto__, but only if Object.setPrototypeOf is not available. this package also includes transpiled versions of some acorn plugins (though they are probably not required anymore with the latest acorn versions) but they should also use Object.setPrototypeOf if it's available.

deno support is not a priority for this package but if we can do it easily by relying on more-standard features then that would be good :) just dont take it as a commitment to continued support.

@goto-bus-stop
Copy link
Member

Actually maybe this is coming up because detective is using acorn-node v1, which was using a different transpiler. So the actual problem is browserify/detective#88

@oscarotero
Copy link
Author

Hey @goto-bus-stop, thanks for your reply

just dont take it as a commitment to continued support.

Don't worry, I wont :) It's responsibility of Deno team to provide support for NPM packages, not the ther way around. But this is a case that not only benefits to Deno users but also Node users, since the use of __proto__ property has some security issues.

Actually maybe this is coming up because detective is using acorn-node v1, which was using a different transpiler. So the actual problem is browserify/detective#88

Okay, great. I didn't realize that there's a v2 for acorn-node. Looking forward to see it merged.

@ljharb
Copy link
Member

ljharb commented Jan 13, 2023

It only has security issues if you're assigning object keys dynamically from untrusted input, which is not the case here.

@oscarotero
Copy link
Author

@goto-bus-stop I just checked the version 2 of acorn-node and got the same error. The files in the lib folder (generated on npm run build continue using __proto__ properties. Here's an example:

imaxe

@kt3k
Copy link

kt3k commented Nov 26, 2023

like tailwindcss use detective as a dependency. And detective depends on acorn-node

FYI tailwind dropped detective dependency in v3.3.0 ( tailwindlabs/tailwindcss@7e9a53f )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ljharb @oscarotero @kt3k @goto-bus-stop