mirror of
https://github.com/go-gitea/gitea.git
synced 2026-03-09 21:10:00 -05:00
WeakRef usage (not always supported and not recommended) #14054
Closed
opened 2025-11-02 11:01:27 -06:00 by GiteaMirror
·
29 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#14054
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @wolfbeast on GitHub (Jan 26, 2025).
Description
I noticed Gitea's web interface started using
WeakRef(noticed when posting a reply to a PR review conversation).Please note that UXP doesn't implement
WeakRefand its usage is not recommended unless you explicitly want to give hints to the JS GC for the release of (overly large) memory. Even so there is no guarantee that a JS engine will honour those hints, as they have often very complex internal machinery to deal with garbage collection. Letting content interfere with this process is not desirable; UXP doesn't intend to implement this as a result (potential can of worms also for security considerations as it might open UAFs and the like).Please consider removing
WeakRefusage from Gitea's web interface. There should not be a reason for using it to begin with. Let the engine do its own housekeeping. There is currently the risk of JS scripting breaking if it runs intoWeakRefbeing undefined errors.Screenshots
I didn't think of capturing the error box
Gitea Version
1.23.1
Can you reproduce the bug on the Gitea demo site?
Yes
Operating System
Windows 10 22H2
Browser Version
Pale Moon 33.5.1
@wxiaoguang commented on GitHub (Jan 27, 2025):
grep -r WeakRef web_srcshows that there is no WeakRef in Gitea's codebase.Could you elaborate where it is used?
@wxiaoguang commented on GitHub (Jan 27, 2025):
After searching the built assets, I found this, it is from github's text-expander https://github.com/github/text-expander-element, it uses https://github.com/iansan5653/dom-input-range/blob/main/src/input-style-clone-element.ts#L72
The related change is
180d221e04(8 months ago), then text-expander started using input-style-clone which usesWeakRef.I think it's impossible to remove text-expander, it is heavily used to show markdown suggestions. Do you think it's possible to polyfill the
WeakRef?@wolfbeast commented on GitHub (Jan 27, 2025):
That use of WeakRef on an input doesn't even make much sense.
I'm not too familiar with writing polyfills so I don't know how easy or difficult it would be. It attaches a
.deref()to the object passed into the constructor but doesn't interfere with it otherwise AFAIK.You can polyfill this by simply using dummy functions for the API if you're married to that github module and can't make changes to it. As explained the spec is only providing hints for the garbage collector.
@wxiaoguang commented on GitHub (Jan 27, 2025):
Yep, but that's from a dependency's dependency.
I think you can add some polyfills to Pale Moon's engine, then all websites use WeakRef could benefit. For example:
@wolfbeast commented on GitHub (Jan 27, 2025):
I absolutely understand there's a broader solution possible, but you can't plug a web-based polyfill into an application's javascript engine like that. (if only! that would simplify a lot of things with all these convenience/sugar functions that get added to ES)
I have an open issue for implementing a stub into the engine but it's not straightforward.
@wolfbeast commented on GitHub (Jan 27, 2025):
What would be the best way to report this to your dependency's dependency? because it really should not be used this way. Even the W3C TAG Design Principles group cautions strongly against them even existing and they should at most be used for extremely specific targeted situations and never make their way into generic dependencies or broadly-used libraries...
(see also https://repo.palemoon.org/MoonchildProductions/UXP/issues/1740 where this was analyzed when the question for implementation came up)
@TheFox0x7 commented on GitHub (Jan 27, 2025):
Probably raise an issue/PR there: https://github.com/iansan5653/dom-input-range
@wolfbeast commented on GitHub (Jan 27, 2025):
Will do. Thanks
@wolfbeast commented on GitHub (Feb 18, 2025):
Unfortunately there has been no response from the dom-input-range dev on the issue for 3 weeks. The dev doesn't seem to be active.
I would offer a PR but I do not work in nor know TS, and have no clue how to even test any changes I would be making :(
@wxiaoguang commented on GitHub (Feb 19, 2025):
Unfortunately, this is a common phenomenon in many open source projects .......... and that's why I think it could be polyfilled (https://github.com/go-gitea/gitea/issues/33407#issuecomment-2615551658) to tolerate the WeakRef usage for more sites ......
@GiteaBot commented on GitHub (Mar 21, 2025):
We close issues that need feedback from the author if there were no new comments for a month. 🍵
@wolfbeast commented on GitHub (Mar 21, 2025):
Thank you bot for not understanding that this was an open issue and the last post was a comment, not a question.
This remains an issue. Unfortunately I can't re-open this.
@wxiaoguang commented on GitHub (Mar 26, 2025):
TBH I don't want to disappoint you, but actually it is not Gitea's problem ..... If it is only Gitea's problem, we could polyfill it in Gitea's code base (We have done so: #28441, #26575, #23592, etc and IMO it's better to avoid polyfills because many of them are still incomplete)
However, many sites including GitHub also use WeakRef (that JS library is also used by GitHub), so if you don't introduce a general WeakRef polyfill in the browser engine, many sites are still broken.
@wolfbeast commented on GitHub (Mar 26, 2025):
I know it's a dependency of a dependency issue. But neither the dependency nor the dependency of the dependency repo maintainers are responding to any sort of attempted contact. If they would, it could be solved for anyone using that dom-range module. Ultimately that means it becomes a Gitea problem because you chose to rely on this (clearly unmaintained) dependency, which unnecessarily attempts to reach deep into the js machinery with WeakRef for no other reason than it "being a thing".
It's not like I didn't try to get the root issue fixed. I have.
I am well aware that it would be preferable to implement at least a stub WeakRef in the browser (which would be there just to satisfy use without fallback of WeakRef and not do anything otherwise) and that is on our to-do list but it is proving a lot more complicated than it should be because of the complexities of our inherited SpiderMonkey engine.
Of note also is that GitHub doesn't have this issue Gitea has (I have no trouble getting a proper pop-up on issue mention that works and is clickable, etc. which is broken because of WeakRef in Gitea) and Gitea has been the only web GUI so far I've encountered that breaks on it not being present. "many sites" is an overstatement.
@wxiaoguang commented on GitHub (Mar 26, 2025):
OK, maybe GitHub also polyfills.
Could you try whether this PR work?
-> Polyfill WeakRef #34025
@wolfbeast commented on GitHub (Mar 26, 2025):
I'd love to, but I'm neither familiar with your build process nor set up to do any golang testing. Is there a way I can slot this into a deployed Gitea instance to test?
@wxiaoguang commented on GitHub (Mar 26, 2025):
Hmm, I can test it locally (and have tested it locally) and then after it gets approved, then there will be a nightly built.
@wolfbeast commented on GitHub (Mar 26, 2025):
OK let me know when you have a nightly build that I can drop into production to test, and I'll verify. Thanks!
@silverwind commented on GitHub (Mar 26, 2025):
According to https://github.com/jaenster/weakref-pollyfill/issues/1 WeakRef is not polyfillable, so while our pseudo-polyfill might works, it'll probably never act like the real thing, because JS does not expose the necessary garbage collector interfaces for it to be polyfillable.
@wxiaoguang commented on GitHub (Mar 26, 2025):
It won't be a problem, in our case, no memory management requirement, and actually the package using WeakRef seems abusing it (according to the discussions above).
@wolfbeast commented on GitHub (Mar 26, 2025):
The front-end most definitely is, and that is all that matters. You shouldn't expect a polyfill to take over what is handled by GC internals, but that is the whole point of why it shouldn't actually be a thing to begin with. JS engines will always know much better when and how to collect garbage than any cross-browser, web-based content would. WeakRef makes no guarantees, and there are critical notes from everyone involved it shouldn't be relied on for memory management. It only provides hints that a script "would like something to be GCed", but whether it, in fact, is, depends entirely on the state of the JS engine internals. It may happen later or not at all. Providing a stub is therefore just fine.
@wxiaoguang commented on GitHub (Mar 27, 2025):
1.2 nightly is ready
@wolfbeast commented on GitHub (Apr 3, 2025):
Sorry for the delay in answering - I can confirm the nightly build solves the issue and that the polyfill works as it should.
@wxiaoguang commented on GitHub (Apr 3, 2025):
Glad to help.
ps: I can't access
repo.palemoon.org, it always redirects tohttps://repo.palemoon.org/assets/geoblock.htmlI guess this PR might help you:
Add a config option to block "expensive" pages for anonymous users#34024 (background: #33966): when setREQUIRE_SIGNIN_VIEW=expensive, many pages will require sign-in to block AI crawlers.@wolfbeast commented on GitHub (Apr 3, 2025):
Yeah I was forced to blanket geoblock certain regions because of IP-spread hammering of our repo with crawling requests going through all tag combinations (requesting the same pages over and over and over...) causing 1500% CPU load which our host wasn't happy about ;P
I'll try the option and see how that goes. Thanks for the tip!
@wolfbeast commented on GitHub (Apr 3, 2025):
Unfortunately this won't work for us. requiring an account+signin to even view commits just isn't good practice for FOSS.
Also, seems you should really add "/compare" to it; they are some of the most expensive calls in gitea.
@wxiaoguang commented on GitHub (Apr 4, 2025):
Then would something like Proof-of-Work works? For example: redirect anonymous users to a JS page, calculate something on user side and let server check.
@silverwind commented on GitHub (Apr 4, 2025):
All public gitea instances deal with such problems. We already implement captcha for sign ups, maybe it's time to go further and add an option to require captcha for anonymous viewing.
Only downside is that that would likely also catch potential legitimate traffic like search crawlers.
@wolfbeast commented on GitHub (Apr 4, 2025):
Interesting to brainstorm about, probably good to open a new issue for.