►
Description
A
A
Under
nodejs
/
node,
the
first
one
is
fixing
child
process
module
to
check
values,
pass
strictly
to
the
options,
object,
number
24
267,
and
we
did
have
a
bit
of
a
discussion
on
this
last
time.
What
we'd
agreed
was
to
invite
Loran,
I,
guess,
framed
the
discussion
and
answer
any
questions,
and
hopefully
everybody's
had
a
chance
to
look
at
it
in
the
meantime
as
well.
So
Lauren
do
you
want
to
just
give
it
a
give
us
a
bit
of
a
context?
And
what's
the
discussions
been
so
far,.
B
B
So
the
idea
is
that
basically
to
prototype
on
epilation
attack
could
be
possible
to
change
some
kind
of
logic
underlying
in
in
spawn
or
exact
or
something
else
that
child
process
is
exposing,
and
this
PR
is
basically
trying
to
kind
of
be
on
the
safe
side
with
how
it
treats
the
options.
Arguments
that
it
receives
and,
with
regard
so
I
think
that's
kind
of
summarizing.
B
It
says
it's
not
to
too
much
of
a
heavy
issue,
but
I
think
the
discussion
has
been
quite
good
in
terms
of
feedback
around
whether
we
want
to
do
this
in
this
particular
case.
Or
is
this
something
that
we're
going
to
revert
all
of
the
api's
which
I
think
it's
naturally
the
case?
For
that
we're
pretty
much
in
agreement
that
making
that
changes
to
be
I.
A
B
B
C
B
B
That
probably
is
kind
of
shooting
yourself
in
the
foot.
If
someone
would
go
and
do
that,
but
the
thing
is
that
that's
not
the
only
case,
because
we've
seen
other
models
that
I
think
Nikita
also
mentioned
that
that
had
that
were
susceptible
to
a
prototype,
manipulation
attack.
So,
generally
speaking,
you
could
have
a
chain
of
events
where
one
model
would
be,
and
maybe
parsing
some
kind
of
input
would
be
manipulated
into
changing.
B
You
know
the
options
object
to
shell
equals
true,
and
if
that
application
also
makes
use
of
you
know
a
child
process,
and
the
input
for
that
would
also,
you
know,
be
originated
from
user
inputs
and
it
doesn't
need
to
be
escaped
or
anything
because
someone
just
using
it
I
would
probably
not
run
the
show,
but
the
manipulation
that
happened
previously
through
a
different
chain
of
attack
would
affect
it.
So
I
think
a
chain
of
events
here
is
something
that
could
you
know
escalate.
B
B
Yeah,
but
that
that's
not
really
the
case
I'm,
saying
I'm,
saying
that
if
you
have
a
model
that
parses
some
kind
of
input-
and
you
know
serialize-
is
the
nun
cereal
and
that
model
specifically,
that
does
that
is
prone
to
the
error
of
the
prototype.
Manipulation,
then
that
that
would
be
an
entry
point
as
an
attack
vector
into
into
into
the
prototype
change.
D
D
B
A
E
Yeah
I
was
just
thinking.
My
only
thought
was
that,
having
like,
basically
requiring
that
only
only
owned
properties
be
accessed
is
not
necessary.
It's
like
an
arbitrary
restriction
because
the
you
know
the
prototype
chain.
It
does
not
begin
an
end
with
object.
Prototype
like
there's,
there's
a
you
know,
you
could
have
some
sort
of
object-oriented
system
which
produces
options
for
for
this,
for
this
call
right,
and
so
there
could
be
other
objects
on
the
prototype
chain.
E
Besides,
like
object,
dot
prototype,
you
know,
so
this
could
be
a
subclass,
and
you
know
the
options
could
be
assembled
by
various
independent
modules.
You
know-
and
so
you
have
like
this
polymorphism
going
on
and
and
then
in
the
end
it
results
in
an
options.
Object
like
you
know,
the
prototype
chain
could
be
any
length.
E
A
E
C
F
F
B
B
G
In
my
experience,
this
type
of
change
always
breaks
somebody
it's
like
it's.
This
is
my.
This
is
my
experience.
So
the
moment
you
change
something
like
this.
There
is
always
somebody
that
is
manipulating
yeah,
doing
something
with
the
prototype
and
having
something
moved
around
in
this
way
in
this
specific
way,
even
if
it's
not
safe,
even
it
is
problematic,
whatever
I
sorta
remember
made
me
doing
it
in
the
past.
So
in
the
example,
this
situation,
yeah,
yeah.
E
A
A
G
A
F
Yes,
I
wanted
to
say
that
that
would
change.
My
thing
is
also
that,
if
something
in
the
world,
my
friends
but
my
kind
expectation
is
that
not
probably
because
I
don't
think
that
too
much
things
on
in
the
Canadian
government,
then
well.
Mine
is
actually
using
shell
process
just
share
processed
all
the
cute
stuff,
nothing
that
there
are
too
many
libraries
to
do
that
so
much
passion
that
there
will
be
not
achievement
that
it
won't
change
the
parent
state.
A
A
A
A
I'm
good
okay.
So
unless
there's
objections
like
I'll
put
that
I'll
put
that
into
the
in
I'll
put
that
into
the
issue
and
people
can
still
you
know,
we
won't
close
close.
The
issue
will
comment
like
that
and
if
there's
continued
discussion
you
know
maybe
the
something
will
change,
but
otherwise
that
seems
to
be
the
way
the
direction
that
it's
going
Loran
thanks
for
taking
the
time
to
come
in
and
help
us
out
with
this.
B
A
H
H
A
A
Okay,
so
if
we
believe
it's,
it
just
needs
some
somewhere.
If
it
was
just
for
awareness,
we
could
leave
it
in
github
until
our
next
meeting
and
hopefully
gets
resolved
before
then
otherwise.
Ask
if
there's
a
specific
question.
Does
that
make
sense,
because
I
do
see,
the
conversation
is
still
going
on.
It's.
H
Not
going
on
very
actively
like
the
I
mean
it
doesn't
sound
unreasonable
to
to
vote
over
this
at
some
point,
but
I
yeah
room
didn't
for
the
next
was
explicit
question
anywhere.
Maybe
we
should
wait
for
that
and
until
then
it's
just
like
any
people.
Look
at
this
with
some
of
the
discussion.
Please
say
what
you
think:
okay.
A
F
E
I'm
just
trying
to
figure
out
if
any
of
these
are
in
in
like
frequently
used
code,
because
especially
the
the
the
ones
that
where
where
where
where
he
introduces
like
like
a
common
object,
which
he
then
spreads
out
into
the
various
ones
that
could
have
performance
impact
but
as
far
as
I
could
tell
all
the
places
were
just
like
where
the
where
things
were
getting
set
up.
So
it's
not
actually
like
in
a
tight
loop
or
anything,
but
I
could
be
mistaken
as
I'm,
not
that
familiar
with
the
code.
H
E
F
A
So
I
guess
I'd
say
like
you
know
that
that's
my
suggestion.
Does
anybody
object
to
you
know
we'll
put
a
comment
in
that
we
did
discuss
it.
There's
awareness,
you
know
we're
gonna.
Let
the
discussion
continue
there.
Unless
you
know
comes
back
to
the
TC
was
like
a
request
to
make
a
decision
one
way
or
the
other
or
or
some
other
specific
question.
A
F
E
H
H
H
J
Yeah
I
would
I
add
to
that
as
well.
Like
and
I,
don't
know
that
we
necessarily
need
to
vote
if,
as
the
TSC,
we
have
consensus
that
this
should
look.
This
should
land
right,
I,
don't
really
I,
don't
know
exactly
how
the
process
goes
there,
but
I
feel
like.
If
we
have
consensus
here,
we
don't
necessarily
need
to
vote
I,
don't
think
any
right.
A
H
J
And
I
think
the
intention
would
be
that
once
we
have
namespaces,
we
would
create
the
nodejs
namespace,
whatever
would
be
called
compression.
That
keeps
me
live
around
as
an
alias,
potentially
even
deprecating,
the
alias
within
the
namespace.
We
likely
have
to
keep
Z
Lib
itself
around
forever,
but
just
that
like,
we
would
have
a
path
forward
to
better
naming
as
well.
D
H
E
J
That
we
could
do
is
maybe
we
could
reach
consensus
on
a
timeline
rather
than
it
just
being
left
landed
today,
we're
close
to
the
end
of
the
year.
Perhaps
we
kind
of
raise
in
there
hey
if
consensus
and
the
issue
cannot
be
reached
by
like
the
beginning
of
the
new
year,
the
TSC
is
okay
with
it
landing
as
it
is,
and
then
perhaps
still
trying
to
find
a
way
to
reach
consensus.
J
You
know,
because
you
know
it's
going
to
be
demotivating
if
we
just
override
overall,
an
objection,
but
at
the
same
time,
if
the
core
of
that
objection
is
naming
and
that's
not
something
that
we're
looking
to
change,
we're
not
looking
to
make
a
new
module
out
of
this
I,
don't
think.
That's
like
people
object
to
that,
and
multiple
people
object
to
that.
Then
yeah
I
don't
really
know
how
we
don't
end
up
at
a
standstill
on
this
one.
D
J
A
A
J
Guess
we
just
don't
know
Brian's,
availability
and
schedule
and
if
they're
already
gone
for
the
holidays
and
come
back
to
find
that
we
gave
a
window
that
they
couldn't.
You
know
how
about?
Should
we
just
bring
Brian
into
a
future
meeting
and
have
them
have
a
chance
to
talk
with
us
about
it
before
we
override
their
objection?.
H
D
What
was
to
come
to
a
vote
today?
It
looks
like
the
just
being
an
analyst
from
the
TSE
and
so
Brian.
If
you
feel
that
there
is
a
you
feel
that
PSE
is
just
not
seeing
this
rival,
you
haven't
say
to
your
argument.
Well
then,
could
you
either
make
it
in
the
issues
of
the
week
or
or
come
to
a
meeting
and
talk
about
it
like
I?
Think
that's
fair,
maybe
yeah.
I
A
A
E
A
A
And
I
guess:
I'm,
looking
just
looking
at
what
else
is
on
the
agenda.
Well,
I
think
we're
gonna
need
to
skip
our
regular
tracking
ish
for
updates
and
strategic
initiatives
unless
there's
lankey
there
and
the
design
presentation,
I,
don't
know
who
was
gonna,
give
that
so
we
may
not
have
them
anyway.
So,
let's
dive
into
that
one
19:23.
A
A
A
A
So
at
least
that's
my
understanding
that
the
very
specific
reason
the
link
was
removed
is
it
somebody
said
hey.
This
is
collecting
email
addresses
and
sending
them
home.
People
said:
oh
yeah,
okay,
we'll
remove
it,
but
the
author's
made
the
case
that
well,
it's
not
doing
anything
that
any
other.
You
know
many
other
modules
by
large
organizations
do
as
well
and
maybe
other
ones
that
we
have
linked
to.
So
why
would
it
be
removed
based
on
that
basis,
right.
J
F
Yes,
I
want
to
say
this
is
actually
discussion
going
on
at
the
hub,
so
my
huge
probably
proposed
to
move
this
to
the
github
until
the
next
week.
I
can
nothing
happens
and
github.
Then
you
can
get
this
conversation
again,
but
I
think
that
we
probably
agree
with
that.
We
probably
should
know
this
for
a
week.
D
No,
but
I
am
interested
in
why
it
makes
this
issue
makes
it
here
and
what
we
can
do
to
improve
the
process
over
there,
so
that
the
TSE
isn't
making
decisions
about
that
kind
of
thing.
I
understand
why
the
seriousness
might
seems
worthy
of
it,
but
I
could
see
the
desk
lame.
Why
can't
I
put
my
link?
They
were
wise
mile.
It
might
easily
get
to
be
there.
H
D
Think
we
should
move
on
I,
don't
think
we
should
be
this
is
this.
Is
this
doesn't
raise
to
a
level
of
seriousness
that
we
should
be
spending
10,
15
minutes
and
I'm?
Sorry
to
the
author,
I
know:
you'd
love
to
have
your
stuff,
promoted
and
I
am
genuinely
sorry,
but
this
plenty
of
other
things
that
we
should
carry
out
more,
that
impact
the
ecosystem
working,
so
I
think
we
should
move
on.
E
D
J
A
Rods
point
is,
and
we
really
do
have
you
know
I
want
to
time
box
at
45
minutes
we're
at
that
point
for
this
meeting
so
I
think
the
suggestion
was,
you
know:
we've
delegated
the
website
to
the
website
working
group.
It
doesn't
seem
like
we're
at
the
point
where
the
TSC
should
be
overriding
their
decision,
so
we
should
be
letting
them
work
through
the
process
for
them
to
make
a
decision
and
and
and
maybe
it
can
be
escalated,
but
it's
perhaps
not
the
time
for
that.
Yet
is
that
right
rod
does
that
sort
of.