feat: add process.env.NODE_TLS_WARN_ON_UNAUTHORIZED to silence https warning

[martinmunillas]

I would like a way to silence that warning as I'm totally aware of all the security issues that this might bring but I'm doing it only to simplify the development.

I couldn't find where to add tests or add documentation so if anyone could tell me where it would be awesome.

I would appreciate any kind of feedback :D

[cjihrig]

You can use this instead - https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue

EDIT: Oops, that still warns in the first case. Can you use --no-warnings?

[martinmunillas]

You can use this instead - https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue

EDIT: Oops, that still warns in the first case. Can you use --no-warnings?

I would like to only silence that warning, any other warning might be useful, maybe there is another way to silence just some warnings, or proxy them or something?

[cjihrig]

There is an issue somewhere that talks about making --no-warnings filter certain types of warnings. I think that would be a better approach than special casing this one warning.

[martinmunillas]

There is an issue somewhere that talks about making --no-warnings filter certain types of warnings. I think that would be a better approach than special casing this one warning.

I agree, how can I help with that?

[Trott]

Welcome, @martinmunillas, and thanks for the pull request. I think this makes the default behavior insecure and undesirable, no? Regardless, this would also need a test, although I can understand waiting to see how folks react to the idea first.

[cjihrig]

I agree, how can I help with that?

It looks like this PR has stalled out. You could try to get it going again, or see if the author minds if you take it over.

[martinmunillas]

I agree, how can I help with that?

It looks like this PR has stalled out. You could try to get it going again, or see if the author minds if you take it over.

as it was for deprecated warnings i decided to solve it like this

const emitWarning = process.emitWarning;
process.emitWarning = (warning: string, ...values: any[]) => {
  if (warning.includes("NODE_TLS_REJECT_UNAUTHORIZED")) {
    return;
  }

  emitWarning(warning, ...values);
};

still I think there should be a way to handle this natively, what do you think?

[cjihrig]

as it was for deprecated warnings i decided to solve it like this

Check out some of the comments later in that thread. The idea would be to extend --no-warnings to support filtering by error code.

[tniessen]

I think disabling this particular warning is dangerous. The warning should never occur in production and it should only be emitted once per process during development.

As others have suggested, a more generic approach that doesn't focus on a security critical warning might be better.

[martinmunillas]

i will close this pr, thanks for the feedback