Description
The collectStream function registers separate listeners for 'error' and 'end' events that both call the same callback, with no guard preventing double invocation. While standard Node.js streams should not emit 'end' after 'error', this library processes arbitrary external streams (user-supplied), and non-standard stream implementations can violate this contract. If the callback is called twice (e.g., first with an error, then with data), downstream code may attempt to use a destroyed resource, call res.send() after headers are sent, or corrupt archive state — causing production crashes that are difficult to diagnose.
Severity: medium
File: lib/utils.js
Expected Behavior
The code should handle this case properly to avoid unexpected errors or degraded quality.
Description
The collectStream function registers separate listeners for 'error' and 'end' events that both call the same callback, with no guard preventing double invocation. While standard Node.js streams should not emit 'end' after 'error', this library processes arbitrary external streams (user-supplied), and non-standard stream implementations can violate this contract. If the callback is called twice (e.g., first with an error, then with data), downstream code may attempt to use a destroyed resource, call res.send() after headers are sent, or corrupt archive state — causing production crashes that are difficult to diagnose.
Severity:
mediumFile:
lib/utils.jsExpected Behavior
The code should handle this case properly to avoid unexpected errors or degraded quality.