feat(serializers): avoid implicit sanitization

[gerardolima]

When serializers are defined for HTTP Request or HTTP Response, do not run the correspondent stdSerializers before calling the provided serializer functions.

ISSUE #1991

[gerardolima]

If preferred, we can assess type from properties, as previously done in lib/tools.js:

  } else if (_obj.method && _obj.headers && _obj.socket) {
    obj = { [requestKey]: _obj }
  } else if (typeof _obj.setHeader === 'function') {
    obj = { [responseKey]: _obj }

[jsumners]

I think property presence will be better here. These could be extended objects, e.g. a FastifyRequest.

[gerardolima]

done

[gerardolima]

Behaviour of all stdSerializers follow the same pattern.

[gerardolima]

The key for request and response are now explicitly configurable. Previously, these had fixed values, set on pino-std-serializers (mapHttpRequest and mapHttpResponse).

[gerardolima]

maybe this change makes the exported functions mapHttpRequest and mapHttpResponse deprecated, in pino-std-serializers?

[mcollina]

can you please keep the previous test and only add a new one?

[gerardolima]

Original tests restored. Also fixed linter issues.

[gerardolima]

ok, I was running isolated tests and only now I noticed there were some assertions on the default serialisers; I am fixing them right now and soon the tests will be fixed; sorry for the silly mistake

[gerardolima]

hey, @mcollina, are these the changes you expected? is there something that needs improvement or still missing?

[mcollina]

lgtm

[jsumners]

The issue mentioned deprecating the current implementation and switching to the new one in the next major. I don't see this being implemented in this PR. Have I missed it?

[jsumners]

I think property presence will be better here. These could be extended objects, e.g. a FastifyRequest.

[gerardolima]

The issue mentioned deprecating the current implementation and switching to the new one in the next major. I don't see this being implemented in this PR. Have I missed it?

This changeset only modifies the following behviour: neither logged Request nor Response objects are not transformed by their corresponding stdSerializers unconditionally, at the start of LOG (lib/tools.js).

This change in behaviour is asserted in test/http.test.js, lines 86 and 240, with tests that create an arbitrary property that should be removed from them, if their standard serializers ran.

[jsumners]

This changeset only modifies the following behviour: neither logged Request nor Response objects are not transformed by their corresponding stdSerializers unconditionally, at the start of LOG (lib/tools.js).

This change in behaviour is asserted in test/http.test.js, lines 86 and 240, with tests that create an arbitrary property that should be removed from them, if their standard serializers ran.

This is a breaking change, correct?

[gerardolima]

This is a breaking change, correct?

Yes, this is correct. When custom serializers are provided and they depend on the changes made by the standard serializers on the target objects (ie: to sanitize them?), they will be impacted.

Though running standard serializers when custom serializers are given is not exaclty obvious behaviour -- and I think nor documented --, I understand there might be code in the wild that dependes on it (Hyrum's Law) and publishing this as breaking change should be the safest strategy.

[jsumners]

Yes, this is correct. When custom serializers are provided and they depend on the changes made by the standard serializers on the target objects (ie: to sanitize them?), they will be impacted.

Then we are missing the deprecation and opt-in for the current version.

[gerardolima]

Then we are missing the deprecation and opt-in for the current version.

I'm sorry, but I'm not familiar with the versioning process in Pino -- I've already checked CONTRIBUTING.md. Would it suffice updating major version in package.json? Could you, please help me?

[jsumners]

Either @mcollina or I will handle incrementing the version when we publish. What the original discussion called for, and what is missing here, is the deprecation of the current behavior so that people are alerted to the change in default behavior in the next major release. See the following examples:

pino/lib/tools.js

Lines 416 to 423 in ba31fc1

	if ('changeLevelName' in opts) {
	process.emitWarning(
	'The changeLevelName option is deprecated and will be removed in v7. Use levelKey instead.',
	{ code: 'changeLevelName_deprecation' }
	)
	opts.levelKey = opts.changeLevelName
	delete opts.changeLevelName
	}

pino/lib/tools.js

Lines 430 to 434 in ba31fc1

	if (prettyPrint) {
	warning.emit('PINODEP008')
	const prettyOpts = Object.assign({ messageKey }, prettyPrint)
	stream = getPrettyStream(prettyOpts, prettifier, stream, instance)
	}

We could introduce a PR that only adds the deprecation notice, issue a release with that, and then merge this one (with it removing the notice) and issue a new major. But we still haven't finished updating all of the org's maintained modules for v9. So I'm not sure we have much appetite for a new major so soon after v9 right now.

[gerardolima]

We could introduce a PR that only adds the deprecation notice, issue a release with that, and then merge this one (with it removing the notice) and issue a new major. But we still haven't finished updating all of the org's maintained modules for v9. So I'm not sure we have much appetite for a new major so soon after v9 right now.

hey, @jsumners, I'm sorry, but I still don't get it. No property has been deprecated nor renamed -- and I believe the explanation of the change in behaviour would be somewhat lengthy for a warning message. Also, I don't see any example of process.emitWarning nor warning. in the the actual codebase ... which should I use? which number should I use for PINODEPxxx?

[jsumners]

1. stdSerializers cannot be avoided for Request and Response #1991 (comment) suggested that the original functionality be deprecated. That means the current behavior does not change, but will generate a warning when the functionality is used.
2. This PR changes the published functionality, thus introducing a breaking change and necessitating a new major version to be published after it is merged.
3. We avoid needing to publish a new major version by deprecating the current functionality and providing an opt-in path to the functionality provided in this PR.
4. We utilize https://www.npmjs.com/package/process-warning to issue deprecation warnings. I provided links to historical code where we have issued deprecation warnings so that you can learn how to implement such a deprecation in this feature. A clearer example may be seen in 6c53815. The next available deprecation code is currently commented out in the deprecations source file (PINODEP010).

[gerardolima]

hey, @jsumners and @mcollina, I created the opts property future to allow consumers to chose these breaking changes as opt-in, and avoid bumping the major version right now. This increased the size of the changeset, but I think it was a sensible way for consumers of Pino to chose the between the new and old behaviour when creating the top-level Pino object. Maybe this feature should be subject of a PR of its own, to be merged before these changes in the serialization of requests/responses?

[gerardolima]

I noticed this library didn't have any nested test before. I think this makes it easier to identify and clean-up the tests that asserts the old behaviour when the new version will be released. If avoiding nested tests was intentional, these can be easily refactored.

[gerardolima]

I noticed Object.freeze is not used for default configuration. This can be easily refactored, if avoiding this feature is intentional.