Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The es5-shim package is a JavaScript library that provides compatibility shims so that legacy JavaScript engines behave as closely as possible to ECMAScript 5 (ES5). This is particularly useful for supporting older browsers that do not implement all ES5 features natively.
Array methods
Provides ES5 array methods like map, filter, and reduce which might not be available in older JavaScript engines.
[1, 2, 3].map(function(n) { return n + 1; })
Function.prototype.bind
Implements Function.prototype.bind, allowing functions to have their this value and initial arguments pre-set.
var boundFunc = function(a, b) { return a + b; }.bind(null, 1); boundFunc(2);
Object methods
Adds missing Object methods such as keys, which returns an array of a given object's own enumerable property names.
Object.keys({a: 1, b: 2})
String methods
Includes String.prototype methods like trim, which removes whitespace from both ends of a string.
'hello'.trim()
Date methods
Provides shims for Date methods like now, which returns the number of milliseconds elapsed since January 1, 1970 00:00:00 UTC.
Date.now()
A modular standard library for JavaScript, core-js includes polyfills for ECMAScript up to 2021. It covers more features than es5-shim, including promises, symbols, collections, iterators, typed arrays, and many other features of ECMAScript 2015 and beyond.
Part of Babel's suite, babel-polyfill includes a custom regenerator runtime and core-js. This package is more comprehensive than es5-shim as it supports new ES6 features and beyond, making it suitable for applications needing high compatibility with new ECMAScript standards.
es5-shim.js
and es5-shim.min.js
monkey-patch a JavaScript context to
contain all EcmaScript 5 methods that can be faithfully emulated with a
legacy JavaScript engine.
Note: As es5-shim.js
is designed to patch the native Javascript
engine, it should be the library that is loaded first.
es5-sham.js
and es5-sham.min.js
monkey-patch other ES5 methods as
closely as possible. For these methods, as closely as possible to ES5
is not very close. Many of these shams are intended only to allow code
to be written to ES5 without causing run-time errors in older engines.
In many cases, this means that these shams cause many ES5 methods to
silently fail. Decide carefully whether this is what you want.
Note: es5-sham.js
requires es5-shim.js
to be able to work properly.
The tests are written with the Jasmine BDD test framework.
To run the tests, navigate to /tests/ , or,
simply npm install
and npm test
.
arguments
and caller
properties.call
and
apply
to avoid executing as a constructor.:warning: Object.create
For the case of simply "begetting" an object that inherits prototypically from another, this should work fine across legacy engines.
:warning: The second argument is passed to Object.defineProperties which will probably fail either silently or with extreme prejudice.
:warning: Object.getPrototypeOf
This will return "undefined" in some cases. It uses __proto__
if
it's available. Failing that, it uses constructor.prototype, which
depends on the constructor property of the object's prototype having
not been replaced. If your object was created like this, it won't
work:
function Foo() {
}
Foo.prototype = {};
Because the prototype reassignment destroys the constructor property.
This will work for all objects that were created using
Object.create
implemented with this library.
:warning: Object.getOwnPropertyNames
This method uses Object.keys, so it will not be accurate on legacy engines.
Object.isSealed
Returns "false" in all legacy engines for all objects, which is conveniently guaranteed to be accurate.
Object.isFrozen
Returns "false" in all legacy engines for all objects, which is conveniently guaranteed to be accurate.
Object.isExtensible
Works like a charm, by trying very hard to extend the object then redacting the extension.
:warning: Object.getOwnPropertyDescriptor
The behavior of this shim does not conform to ES5. It should probably not be used at this time, until its behavior has been reviewed and been confirmed to be useful in legacy engines.
:warning: Object.defineProperty
In the worst of circumstances, IE 8 provides a version of this
method that only works on DOM objects. This sham will not be
installed. The given version of defineProperty
will throw an
exception if used on non-DOM objects.
In slightly better circumstances, this method will silently fail to set "writable", "enumerable", and "configurable" properties.
Providing a getter or setter with "get" or "set" on a descriptor will silently fail on engines that lack "defineGetter" and "defineSetter", which include all versions of IE.
:warning: Object.defineProperties
This uses the Object.defineProperty shim.
Object.seal
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
Object.freeze
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
Object.preventExtensions
Silently fails on all legacy engines. This should be fine unless you are depending on the safety and security provisions of this method, which you cannot possibly obtain in legacy engines.
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.6/es5-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.6/es5-sham.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/json3/3.3.2/json3.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/es6-shim/0.34.2/es6-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/es6-shim/0.34.2/es6-sham.min.js"></script>
<script src="https://wzrd.in/standalone/es7-shim@latest"></script>
<script src="other-libs.js"></script>
FAQs
ECMAScript 5 compatibility shims for legacy JavaScript engines
The npm package es5-shim receives a total of 1,057,183 weekly downloads. As such, es5-shim popularity was classified as popular.
We found that es5-shim demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.