Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use hardcoded value for PropType secret #7194

Merged
merged 1 commit into from
Jul 5, 2016

Conversation

aweary
Copy link
Contributor

@aweary aweary commented Jul 5, 2016

Addresses @spicyj's concern #7132 (comment)

cc @gaearon

@gaearon
Copy link
Collaborator

gaearon commented Jul 5, 2016

If I were third party lib author I wouldn’t feel guilty about passing a string like this.
I’m serious: let’s call it SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED.

@sophiebits
Copy link
Collaborator

'I_PROMISE_I_WILL_ONLY_CALL_THESE_PROPTYPES_CHECKERS_IN_DEV_MODE'.

@sophiebits
Copy link
Collaborator

Whichever.

@maxdeviant
Copy link
Contributor

There are already firing warnings elsewhere in the code, and I think it would make for a good running joke in the codebase 😄

@aweary
Copy link
Contributor Author

aweary commented Jul 5, 2016

If I were third party lib author I wouldn’t feel guilty about passing a string like this.
I’m serious: let’s call it SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED.

I went with this one, for consistency 😉

@gaearon gaearon added this to the 15-next milestone Jul 5, 2016
@gaearon gaearon merged commit 2c93a41 into facebook:master Jul 5, 2016
@aweary aweary deleted the hardcode-proptype-secret branch July 5, 2016 23:23
@zpao
Copy link
Member

zpao commented Jul 8, 2016

→ semver-minor since it depends on another semver-minor (good edge case testing for my tool, but going to be hard to make work well when trying to do patch-only releases)

usmanajmal pushed a commit to usmanajmal/react that referenced this pull request Jul 11, 2016
@zpao zpao modified the milestones: 15-next, 15.3.0 Jul 13, 2016
zpao pushed a commit that referenced this pull request Jul 13, 2016
Rename secret!
(cherry picked from commit 2c93a41)
@ljharb
Copy link
Contributor

ljharb commented Jul 29, 2016

Our tests fail on console warnings, so sadly this causes a semver-minor React update to break things :-/ Also, https://facebook.github.io/react/warnings/dont-call-proptypes.html 404s so I'm not even sure why it's a problem.

@gaearon
Copy link
Collaborator

gaearon commented Jul 29, 2016

Our tests fail on console warnings

This puts us in a very difficult position because this effectively means we can’t introduce new deprecations without doing a major release. Unfortunately this would slow down our development way too much, and for the benefit of the community we can’t do it this way. When we introduced our new versioning strategy with 15.0.0, we clearly said that we ship deprecation warnings in minor releases. This does not technically contradict semver.

The decision to fail tests on console warnings is yours. I can see why this is reasonable, but in this case you’ll want to use ~ instead of ^ since you intentionally want to be more conservative about the updates.

Also, https://facebook.github.io/react/warnings/dont-call-proptypes.html 404s so I'm not even sure why.

That’s bad, probably CI is stuck. I’ll look into why this happened, thanks for flagging.

@ljharb
Copy link
Contributor

ljharb commented Jul 29, 2016

@gaearon Understood. However, our tests aren't run in production mode nor run with a production build of react, so I'm not sure why they'd be issuing warnings, since the point of the original issue was to deprecate calling them directly in production. We're still looking into it, and I'll update when I have more info.

@gaearon
Copy link
Collaborator

gaearon commented Jul 29, 2016

However, our tests aren't run in production mode nor run with a production build of react, so I'm not sure why they'd be issuing warnings, since the point of the original issue was to deprecate calling them directly in production.

Many people won’t notice warnings that happen only in production builds. Our intention is to deprecate the pattern of calling them directly per se because we want to treat them more as metadata. So we want the libraries that use PropTypes e.g. for API validation to use some fork (or a better system like tcomb) instead. Making them noops in production is a part of that, but the bigger issue is we want people to stop calling them manually at all.

@ljharb
Copy link
Contributor

ljharb commented Jul 29, 2016

We use them to build custom propType validators on top of them - that are also stripped in production. What should we use instead if we want identical behavior as React's native PropTypes?

@gaearon
Copy link
Collaborator

gaearon commented Jul 29, 2016

We use them to build custom propType validators on top of them - that are also stripped in production.

This is still supported.

Please see: https://facebook.github.io/react/warnings/dont-call-proptypes.html#fixing-the-false-positive-in-third-party-proptypes

(The link is up now.)

@ljharb
Copy link
Contributor

ljharb commented Jul 29, 2016

Thanks, that will likely resolve our problem :-)

@eugenebauling
Copy link

I know this is a long standing hard coded value, but is there a way we can change the value to exclude the word "Secret"? Our security scans are picking this up as a hard coded password/secret due to the value and naming. Unfortunately we cannot change the config of the security scans or flag this as a false positive as the config of the security scanning software is defined by the client.

@ljharb
Copy link
Contributor

ljharb commented Aug 14, 2020

The client should change their config to not pick up false positives, or the software shouldn't be scanning third-party code for secrets ¯\_(ツ)_/¯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants