From d2c83610f6417ede12eb66f981c3e18fbd6f1443 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=A1=D0=BA=D0=BE=D0=B2=D0=BE=D1=80=D0=BE=D0=B4=D0=B0=20?=
 =?UTF-8?q?=D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0=20=D0=90=D0=BD=D0=B4=D1=80?=
 =?UTF-8?q?=D0=B5=D0=B5=D0=B2=D0=B8=D1=87?= <chalkerx@gmail.com>
Date: Thu, 22 Feb 2018 22:45:42 +0300
Subject: [PATCH] Fix deprecated Buffer constructor usage and add safeguards

This avoids using deprecated Buffer constructor API on newer Node.js
versions.

To achieve that, Buffer.from presence is checked, with validating that
it's not the same method as Uint8Array.from.

Also, additional checks were added for older Node.js versions to
ensure that a number is never accidentally passed to the Buffer
constructor. Throwing is in line with browser atob/btoa behavior,
and in line with what Buffer.from does on numbers in newer Node.js
versions.

No actual security issues present in that code, the safeguard has been
added preemptively to avoid accidential calls to atob/btoa(number) in
the future.

Refs:
https://nodejs.org/api/deprecations.html#deprecations_dep0005_buffer_constructor
---
 lib/minify.js | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/minify.js b/lib/minify.js
index a68cbf3a..8760be13 100644
--- a/lib/minify.js
+++ b/lib/minify.js
@@ -1,10 +1,24 @@
 "use strict";
 
 var to_ascii = typeof atob == "undefined" ? function(b64) {
-    return new Buffer(b64, "base64").toString();
+    if (Buffer.from && Buffer.from !== Uint8Array.from) {
+      // Node >= 4.5.0
+      return Buffer.from(b64, "base64").toString();
+    } else {
+      // Node < 4.5.0, old API, manual safeguards
+      if (typeof b64 !== "string") throw new Errror("\"b64\" must be a string");
+      return new Buffer(b64, "base64").toString();
+    }
 } : atob;
 var to_base64 = typeof btoa == "undefined" ? function(str) {
-    return new Buffer(str).toString("base64");
+    if (Buffer.from && Buffer.from !== Uint8Array.from) {
+      // Node >= 4.5.0
+      return Buffer.from(str, "ascii").toString("base64");
+    } else {
+      // Node < 4.5.0, old API, manual safeguards
+      if (typeof str !== "string") throw new Errror("\"str\" must be a string");
+      return new Buffer(str).toString("base64");
+    }
 } : btoa;
 
 function read_source_map(code) {