refactor: use object spread to copy error headers #79
Conversation
| } | ||
|
|
||
| return headers | ||
| return { ...err.headers } |
There was a problem hiding this comment.
This is functionally different than the previous because this object does not have a null prototype. There are a few ways we could fix it, but I am not sure what would be best.
There was a problem hiding this comment.
I don't think we need the null prototype here because the only usage of the headers is to iterate over them and set them on the response. I think we don't even need to copy the headers we can iterate over them directly.
There was a problem hiding this comment.
The null prototype helps protect against some forms of mistakes consumers of the package can make which lead to security issues, so it is important to be vigilant on this type of change. BUT! Now that I have had a second to look at it, I think you are correct because in this case the method is not exported and we are only using the return value within this package. I think that protects from all the possible mistakes end users could make.
There was a problem hiding this comment.
Also, just be be sure, I went through the history of this a bit, links for reference:
I am guessing this was done out of an abundance of caution back then. I don't see a way this could become a security issue even in the original form. Maybe I am missing something, but I am again thinking this is safe to remove.
Refactored the
getErrorHeadersfunction to use object spread syntax to copy error headers, replacing the manual loop.