Security News
New Python Packaging Proposal Aims to Solve Phantom Dependency Problem with SBOMs
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.
The es5-shim package is a JavaScript library that provides compatibility shims so that legacy JavaScript engines behave as closely as possible to ECMAScript 5 (ES5). This is particularly useful for supporting older browsers that do not implement all ES5 features natively.
Array methods
Provides ES5 array methods like map, filter, and reduce which might not be available in older JavaScript engines.
[1, 2, 3].map(function(n) { return n + 1; })
Function.prototype.bind
Implements Function.prototype.bind, allowing functions to have their this value and initial arguments pre-set.
var boundFunc = function(a, b) { return a + b; }.bind(null, 1); boundFunc(2);
Object methods
Adds missing Object methods such as keys, which returns an array of a given object's own enumerable property names.
Object.keys({a: 1, b: 2})
String methods
Includes String.prototype methods like trim, which removes whitespace from both ends of a string.
'hello'.trim()
Date methods
Provides shims for Date methods like now, which returns the number of milliseconds elapsed since January 1, 1970 00:00:00 UTC.
Date.now()
A modular standard library for JavaScript, core-js includes polyfills for ECMAScript up to 2021. It covers more features than es5-shim, including promises, symbols, collections, iterators, typed arrays, and many other features of ECMAScript 2015 and beyond.
Part of Babel's suite, babel-polyfill includes a custom regenerator runtime and core-js. This package is more comprehensive than es5-shim as it supports new ES6 features and beyond, making it suitable for applications needing high compatibility with new ECMAScript standards.
es5-shim.js
and es5-shim.min.js
monkey-patch a JavaScript context to
contain all EcmaScript 5 methods that can be faithfully emulated with a
legacy JavaScript engine.
es5-sham.js
and es5-sham.min.js
monkey-patch other ES5 methods as
closely as possible. For these methods, as closely as possible to ES5
is not very close. Many of these shams are intended only to allow code
to be written to ES5 without causing run-time errors in older engines.
In many cases, this means that these shams cause many ES5 methods to
silently fail. Decide carefully whether this is what you want.
Note: es5-sham.js
requires es5-shim.js
to be able to work properly.
The tests are written with the Jasmine BDD test framework.
To run the tests, navigate to /tests/ , or,
simply npm install
and npm test
.
arguments
and caller
properties.call
and
apply
to avoid executing as a constructor.:warning: Object.create
For the case of simply "begetting" an object that inherits prototypically from another, this should work fine across legacy engines.
:warning: The second argument is passed to Object.defineProperties which will probably fail either silently or with extreme prejudice.
:warning: Object.getPrototypeOf
This will return "undefined" in some cases. It uses __proto__
if
it's available. Failing that, it uses constructor.prototype, which
depends on the constructor property of the object's prototype having
not been replaced. If your object was created like this, it won't
work:
function Foo() {
}
Foo.prototype = {};
Because the prototype reassignment destroys the constructor property.
This will work for all objects that were created using
Object.create
implemented with this library.
:warning: Object.getOwnPropertyNames
This method uses Object.keys, so it will not be accurate on legacy engines.
Object.isSealed
Returns "false" in all legacy engines for all objects, which is conveniently guaranteed to be accurate.
Object.isFrozen
Returns "false" in all legacy engines for all objects, which is conveniently guaranteed to be accurate.
Object.isExtensible
Works like a charm, by trying very hard to extend the object then redacting the extension.
:warning: Object.getOwnPropertyDescriptor
The behavior of this shim does not conform to ES5. It should probably not be used at this time, until its behavior has been reviewed and been confirmed to be useful in legacy engines.
:warning: Object.defineProperty
In the worst of circumstances, IE 8 provides a version of this
method that only works on DOM objects. This sham will not be
installed. The given version of defineProperty
will throw an
exception if used on non-DOM objects.
In slightly better circumstances, this method will silently fail to set "writable", "enumerable", and "configurable" properties.
Providing a getter or setter with "get" or "set" on a descriptor will silently fail on engines that lack "defineGetter" and "defineSetter", which include all versions of IE.
:warning: Object.defineProperties
This uses the Object.defineProperty shim.
Object.seal
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
Object.freeze
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
Object.preventExtensions
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
FAQs
ECMAScript 5 compatibility shims for legacy JavaScript engines
The npm package es5-shim receives a total of 668,406 weekly downloads. As such, es5-shim popularity was classified as popular.
We found that es5-shim demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.
Security News
Socket CEO Feross Aboukhadijeh discusses open source security challenges, including zero-day attacks and supply chain risks, on the Cyber Security Council podcast.
Security News
Research
Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.