Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
The es5-shim package is a JavaScript library that provides compatibility shims so that legacy JavaScript engines behave as closely as possible to ECMAScript 5 (ES5). This is particularly useful for supporting older browsers that do not implement all ES5 features natively.
Array methods
Provides ES5 array methods like map, filter, and reduce which might not be available in older JavaScript engines.
[1, 2, 3].map(function(n) { return n + 1; })
Function.prototype.bind
Implements Function.prototype.bind, allowing functions to have their this value and initial arguments pre-set.
var boundFunc = function(a, b) { return a + b; }.bind(null, 1); boundFunc(2);
Object methods
Adds missing Object methods such as keys, which returns an array of a given object's own enumerable property names.
Object.keys({a: 1, b: 2})
String methods
Includes String.prototype methods like trim, which removes whitespace from both ends of a string.
'hello'.trim()
Date methods
Provides shims for Date methods like now, which returns the number of milliseconds elapsed since January 1, 1970 00:00:00 UTC.
Date.now()
A modular standard library for JavaScript, core-js includes polyfills for ECMAScript up to 2021. It covers more features than es5-shim, including promises, symbols, collections, iterators, typed arrays, and many other features of ECMAScript 2015 and beyond.
Part of Babel's suite, babel-polyfill includes a custom regenerator runtime and core-js. This package is more comprehensive than es5-shim as it supports new ES6 features and beyond, making it suitable for applications needing high compatibility with new ECMAScript standards.
es5-shim.js
and es5-shim.min.js
monkey-patch a JavaScript context to
contain all EcmaScript 5 methods that can be faithfully emulated with a
legacy JavaScript engine.
es5-sham.js
and es5-sham.min.js
monkey-patch other ES5 methods as
closely as possible. For these methods, as closely as possible to ES5
is not very close. Many of these shams are intended only to allow code
to be written to ES5 without causing run-time errors in older engines.
In many cases, this means that these shams cause many ES5 methods to
silently fail. Decide carefully whether this is what you want.
The tests are written with the Jasmine BDD test framework. To run the tests, navigate to /tests/.
arguments
and caller
properties.call
and
apply
to avoid executing as a constructor.:warning: Object.create
For the case of simply "begetting" an object that inherits prototypically from another, this should work fine across legacy engines.
:warning: The second argument is passed to Object.defineProperties which will probably fail either silently or with extreme predudice.
:warning: Object.getPrototypeOf
This will return "undefined" in some cases. It uses __proto__
if
it's available. Failing that, it uses constructor.prototype, which
depends on the constructor property of the object's prototype having
not been replaced. If your object was created like this, it won't
work:
function Foo() {
}
Foo.prototype = {};
Because the prototype reassignment destroys the constructor property.
This will work for all objects that were created using
Object.create
implemented with this library.
:warning: Object.getOwnPropertyNames
This method uses Object.keys, so it will not be accurate on legacy engines.
Object.isSealed
Returns "false" in all legacy engines for all objects, which is conveniently guaranteed to be accurate.
Object.isFrozen
Returns "false" in all legacy engines for all objects, which is conveniently guaranteed to be accurate.
Object.isExtensible
Works like a charm, by trying very hard to extend the object then redacting the extension.
:warning: Object.getOwnPropertyDescriptor
The behavior of this shim does not conform to ES5. It should probably not be used at this time, until its behavior has been reviewed and been confirmed to be useful in legacy engines.
:warning: Object.defineProperty
In the worst of circumstances, IE 8 provides a version of this
method that only works on DOM objects. This sham will not be
installed. The given version of defineProperty
will throw an
exception if used on non-DOM objects.
In slightly better circumstances, this method will silently fail to set "writable", "enumerable", and "configurable" properties.
Providing a getter or setter with "get" or "set" on a descriptor will silently fail on engines that lack "defineGetter" and "defineSetter", which include all versions of IE.
:warning: Object.defineProperties
This uses the Object.defineProperty shim
Object.seal
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
Object.freeze
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
Object.preventExtensions
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
FAQs
ECMAScript 5 compatibility shims for legacy JavaScript engines
We found that es5-shim demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.