Node.js Buffer knows everything – your traffic, sources, keys and configs

And no, switching Buffer(number) to be zero-filled will bring more harm now, even from the security point of view. The best course of action imo is to deprecate Buffer(number) whatsoever and replace it with two separate methods. More info here: <a href="https:&#x2F;&#x2F;github.com&#x2F;nodejs&#x2F;node&#x2F;issues&#x2F;4660#issuecomment-171262864" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nodejs&#x2F;node&#x2F;issues&#x2F;4660#issuecomment-1712...</a><p>I will make a separate post about that soon enough.

Sounds like a recipe for disaster. Why not just zero buffers on construction; if you can&#x27;t afford the performance penalty of memset then you could always manage a pool of pre-allocated Buffers in your super performant module, which would make it even more obvious to a casual reader.

This note does not have anything actually new, but I have seen several people who are not aware of that.

Every new Buffer should allocate new sandboxed memset, fulfilled with zeros.