- Version: all
- Platform: all
- Subsystem: module
require() has the ability to "fall through" multiple directories while searching for files.
https://github.com/bmeck/node-require-fallthrough-example/blob/master/nested/index.js
Given a dir structure of:
root
\- node_modules/foo/package.json
\- node_modules/foo/root.js
\- child
\- node_modules/foo/package.json
\- node_modules/foo/child.js
\- dependent.js
dependent.js has a surprising behavior of
require.resolve('foo/child'); // root/child/node_modules/child.js
require.resolve('foo/root'); // root/node_modules/root.js
If any error in resolving the "main" of child occurs, the main of root is used.
EPERM on child also has fallthrough behavior.
This means that you can place directories in parent node_modules to intercept requests for resources within a package. This should be discussed WRT signing packages and if we can remove this behavior.
The main concern here is breakage vs falling through a potentially secure context into an unsigned context and vice versa.
require()has the ability to "fall through" multiple directories while searching for files.https://github.com/bmeck/node-require-fallthrough-example/blob/master/nested/index.js
Given a dir structure of:
dependent.jshas a surprising behavior ofIf any error in resolving the "main" of
childoccurs, the main ofrootis used.EPERM on
childalso has fallthrough behavior.This means that you can place directories in parent
node_modulesto intercept requests for resources within a package. This should be discussed WRT signing packages and if we can remove this behavior.The main concern here is breakage vs falling through a potentially secure context into an unsigned context and vice versa.