nic-6443 commented on PR #13680:
URL: https://github.com/apache/apisix/pull/13680#issuecomment-4954977636

   Stepping back a bit: the root cause here is a pattern, not just 
lua-resty-session. lua-cjson options are per-instance, and `cjson.new()` 
doesn't inherit whatever we set on the singleton — it always starts from the 
compile-time defaults. `core/json.lua` only flips 
`decode_array_with_array_mt(true)` on the `cjson.safe` singleton, so every 
dependency that creates a private instance escapes it. In the current deps tree 
that's at least lua-resty-session, lua-resty-healthcheck, 
lua-resty-worker-events and lua-resty-aws, and the plain `require("cjson")` 
singleton is a separate config that doesn't have the option either.
   
   So instead of chasing each library one by one (fork, pin, re-audit every new 
dependency), we could fix this globally in `apisix/patch.lua`: set the option 
on both singletons and wrap `cjson.new` / `cjson.safe.new` so every instance 
created afterwards gets the same default. `init.lua` calls 
`require("apisix.patch").patch()` before any plugin or dependency is loaded, so 
the ordering is safe. And since this only changes the *default*, a library that 
explicitly calls `decode_array_with_array_mt(false)` on its own instance still 
wins.
   
   Quick check that the wrap works:
   
   ```lua
   local cjson_safe = require("cjson.safe")
   local orig_new = cjson_safe.new
   cjson_safe.new = function(...)
       local inst = orig_new(...)
       inst.decode_array_with_array_mt(true)
       return inst
   end
   
   -- later, inside a dependency:
   local dep = require("cjson.safe").new()
   dep.encode(dep.decode('{"items":[]}'))  --> {"items":[]}
   ```
   
   The trade-off is that it's a behavior change for all decoded arrays across 
every dependency (they now carry `cjson.array_mt`), so it deserves a full 
test-suite run rather than a targeted regression test. But it would let us drop 
the api7-lua-resty-session fork later, and the next dependency with a private 
cjson instance just works.
   
   The upstream fix (bungle/lua-resty-session#207) is still worth pursuing 
either way. What do you think? Happy to submit a PR for the patch.lua approach 
if this direction makes sense.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to