From 833c70cffc9f4baa126bbb5b41512bed8b0ba7e2 Mon Sep 17 00:00:00 2001 From: kumburovicbranko682-boop Date: Sat, 27 Jun 2026 19:05:46 +0800 Subject: [PATCH] refactor: collectstream callback invoked twice on error-prone streams MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The collectStream function registers separate listeners for 'error' and 'end' events that both call the same callback, with no guard preventing double invocation. While standard Node.js streams should not emit 'end' after 'error', this library processes arbitrary external streams (user-supplied), and non-standard stream implementations can violate this contract. If the callback is called twice (e.g., first with an error, then with data), downstream code may attempt to use a destroyed resource, call res.send() after headers are sent, or corrupt archive state — causing production crashes that are difficult to diagnose. Affected files: utils.js Signed-off-by: kumburovicbranko682-boop <295886834+kumburovicbranko682-boop@users.noreply.github.com> --- lib/utils.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/utils.js b/lib/utils.js index b8e7e180..36cca3f0 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -5,8 +5,13 @@ import { isStream } from "is-stream"; export function collectStream(source, callback) { var collection = []; var size = 0; + var done = false; - source.on("error", callback); + source.on("error", function (err) { + if (done) return; + done = true; + callback(err); + }); source.on("data", function (chunk) { collection.push(chunk); @@ -14,6 +19,9 @@ export function collectStream(source, callback) { }); source.on("end", function () { + if (done) return; + done = true; + var buf = Buffer.alloc(size); var offset = 0;