@agoric/lockdown - npm Package Compare versions

Comparing version 0.1.2-dev-d667e9f.0 to 0.1.2-dev-d8aa4d6.0

commit-debug.js

@@ -67,2 +67,14 @@ // commit-debug.js - debug version of commit.js
   // consoleTaming: 'unsafe',
+
+  // Domain taming causes lockdown to throw an error if the Node.js domain
+  // module has already been loaded, and causes loading the domain module
+  // to throw an error if it is pulled into the working set later.
+  // This is because domains may add domain properties to promises and other
+  // callbacks and that these domain objects provide a means to escape
+  // containment.
+  // However, our platform still depends on systems like standardthings/esm
+  // which ultimately pull in domains.
+  // For now, we are resigned to leave this hole open, knowing that all
+  // contract code will be run under XS to avoid this vulnerability.
+  domainTaming: 'unsafe',
 });

package.json

 {
   "name": "@agoric/lockdown",
-  "version": "0.1.2-dev-d667e9f.0+d667e9f",
+  "version": "0.1.2-dev-d8aa4d6.0+d8aa4d6",
   "description": "wrappers for locking down SES the Agoric way",
@@ -19,3 +19,3 @@ "type": "module",
   "dependencies": {
-    "ses": "^0.14.3"
+    "ses": "^0.15.3"
   },
@@ -56,3 +56,3 @@ "files": [
   },
-  "gitHead": "d667e9f83a9ada0a4ec0ddb39096e3f64cc57a5b"
+  "gitHead": "d8aa4d616caef9d1aada125fbf5fddff53b6d121"
 }

pre.js

@@ -79,5 +79,13 @@ // pre.js - set up the default lockdown function
     }
-    rawLockdown(options);
+    rawLockdown({
+      ...options,
+      // See comment on domainTaming below.
+      domainTaming: 'unsafe',
+    });
   } else if (defaultOptions) {
-    rawLockdown(defaultOptions);
+    rawLockdown({
+      ...defaultOptions,
+      // See comment on domainTaming below.
+      domainTaming: 'unsafe',
+    });
   } else {
@@ -142,2 +150,14 @@ rawLockdown({
       // consoleTaming: 'unsafe',
+
+      // Domain taming causes lockdown to throw an error if the Node.js domain
+      // module has already been loaded, and causes loading the domain module
+      // to throw an error if it is pulled into the working set later.
+      // This is because domains may add domain properties to promises and other
+      // callbacks and that these domain objects provide a means to escape
+      // containment.
+      // However, our platform still depends on systems like standardthings/esm
+      // which ultimately pull in domains.
+      // For now, we are resigned to leave this hole open, knowing that all
+      // contract code will be run under XS to avoid this vulnerability.
+      domainTaming: 'unsafe',
     });
@@ -144,0 +164,0 @@ }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Manifest confusion

Supply chain risk

This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Manifest confusion

Supply chain risk

This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

13420

increased by13.13%

Lines of code

246

increased by13.89%

Dependency changes

• + Addedses@0.15.24(transitive)

• - Removedses@0.14.5(transitive)

• Updatedses@^0.15.3