feat(pg-connection-string): warn if non-standard ssl options are used#3473
Conversation
Deploying node-postgres with
|
| Latest commit: |
6bdb0b7
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://f5d22a97.node-postgres.pages.dev |
| Branch Preview URL: | https://push-qkwyoukwlmvl.node-postgres.pages.dev |
charmander
left a comment
There was a problem hiding this comment.
Could warn this way for repeat callers: https://nodejs.org/api/process.html#avoiding-duplicate-warnings
In preparation for v3.0.0, we start warning users to be explicit about the sslmode they want.
TIL - implemented |
|
Has the change that drives this warning been discussed elsewhere? Usually I would be all for adopting the standard or upstream semantics — but I actually think this is an example where libpq gets it badly wrong and current node-postgres has historically done much better. libpq's The change here means that, if and when developers upgrade node-postgres to 9.0, connections that used to be secure will suddenly become insecure. I mean, hopefully they'll see the warning and do something about it ... but surely many will not. IMHO it would be much better to have users actively opt in to this downgrade in TLS protection. That would mean keeping the As I understand it, node-postgres historically treats every Is it proposed to match libpq here too, and throw an error if the user specifies |
In preparation for v3.0.0, we start warning users to be explicit about the sslmode they want.