isolated-vm
Advanced tools
isolated-vm - npm Package Compare versions
Comparing version 4.5.0 to 4.6.0
@@ -35,3 +35,3 @@ 'use strict'; | ||
| try { | ||
| channel.dispatchProtocolMessage(message); | ||
| channel.dispatchProtocolMessage(String(message)); | ||
| } catch (err) { | ||
@@ -38,0 +38,0 @@ // This happens if inspector session was closed unexpectedly |
@@ -1,2 +0,2 @@ | ||
| declare module "isolated-vm" { | ||
| declare namespace IsolatedVM { | ||
| export type Transferable = | ||
@@ -18,3 +18,3 @@ | null | ||
| | ((...args: any[]) => any) | ||
| | typeof import("isolated-vm"); | ||
| | typeof IsolatedVM; | ||
@@ -821,1 +821,2 @@ /** | ||
| } | ||
| export = IsolatedVM; |
| { | ||
| "name": "isolated-vm", | ||
| "version": "4.5.0", | ||
| "version": "4.6.0", | ||
| "description": "Access to multiple isolates", | ||
@@ -8,13 +8,25 @@ "main": "isolated-vm.js", | ||
| "engines": { | ||
| "node": ">=10.4.0" | ||
| "node": ">=16.0.0" | ||
| }, | ||
| "scripts": { | ||
| "install": "node-gyp rebuild --release -j 4", | ||
| "postinstall": "node-gyp clean", | ||
| "install": "prebuild-install || (node-gyp rebuild --release -j 4 && node-gyp clean)", | ||
| "rebuild": "node-gyp rebuild --release -j 4", | ||
| "prebuild": "prebuild", | ||
| "upload": "prebuild --upload ${GITHUB_TOKEN}", | ||
| "lint": "find src -name '*.cc' | xargs -n1 clang-tidy", | ||
| "test": "node test.js || nodejs test.js" | ||
| "test": "node test.js" | ||
| }, | ||
| "dependencies": { | ||
| "prebuild-install": "^7.1.1" | ||
| }, | ||
| "devDependencies": { | ||
| "isolated-vm": "." | ||
| "isolated-vm": ".", | ||
| "prebuild": "^11.0.4" | ||
| }, | ||
| "overrides": { | ||
| "node-gyp": "^9.4.0" | ||
| }, | ||
| "binary": { | ||
| "module_path": "out" | ||
| }, | ||
| "repository": { | ||
@@ -21,0 +33,0 @@ "type": "git", |
| [](https://www.npmjs.com/package/isolated-vm) | ||
| [](https://github.com/laverdet/isolated-vm/blob/main/LICENSE) | ||
| [](https://app.travis-ci.com/github/laverdet/isolated-vm) | ||
| [](https://github.com/laverdet/isolated-vm/actions/workflows/build.yml) | ||
| [](https://www.npmjs.com/package/isolated-vm) | ||
@@ -16,2 +16,28 @@ | ||
| PROJECT STATUS | ||
| -------------- | ||
| `isolated-vm` is currently in *maintenance mode*. New features are not actively being added but | ||
| existing features and new versions of nodejs are supported as possible. There are some major | ||
| architectural changes which need to be added to improve the stability and security of the project. I | ||
| don't have as much spare time as I did when I started this project, so there is not currently any | ||
| plan for these improvements. | ||
| #### Wishlist | ||
| 1) Multi-process architecture. v8 is *not* resilient to out of memory conditions and is unable to | ||
| gracefully unwind from these errors. Therefore it is possible, and even common, to crash a process | ||
| with poorly-written or hostile software. I implemented a band-aid for this with the | ||
| `onCatastrophicError` callback which quarantines a corrupted isolate, but it is not reliable. | ||
| 2) Bundled v8 version. nodejs uses a patched version of v8 which makes development of this module | ||
| more difficult than it needs to be. For some reason they're also allowed to change the v8 ABI in | ||
| semver minor releases as well, which causes issues for users while upgrading nodejs. Also, some | ||
| Linux distributions strip "internal" symbols from their nodejs binaries which makes usage of this | ||
| module impossible. I think the way to go is to compile and link against our own version of v8. | ||
| CONTENTS | ||
| -------- | ||
| * [Requirements](#requirements) | ||
@@ -35,4 +61,6 @@ * [Who Is Using isolated-vm](#who-is-using-isolated-vm) | ||
| This project requires nodejs version 10.4.0 (or later). | ||
| This project requires nodejs version 16.x (or later). | ||
| 🚨 If you are using a version of nodejs 20.x or later, you must pass `--no-node-snapshot` to `node`. | ||
| Furthermore, to install this module you will need a compiler installed. If you run into errors while | ||
@@ -44,3 +72,3 @@ running `npm install isolated-vm` it is likely you don't have a compiler set up, or your compiler is | ||
| * Ubuntu users should run: `sudo apt-get install python g++ build-essential` | ||
| * Alpine users should run: `sudo apk add python make g++` | ||
| * Alpine users should run: `sudo apk add python3 make g++` | ||
| * Amazon Linux AMI users should run: `sudo yum install gcc72 gcc72-c++` | ||
@@ -157,3 +185,3 @@ * Arch Linux users should run: `sudo pacman -S make gcc python` | ||
| before their script is terminated. Against non-hostile code this limit should be pretty close. The | ||
| default is 128MB and the mimium is 8MB. | ||
| default is 128MB and the minimum is 8MB. | ||
| * `inspector` *[boolean]* - Enable v8 inspector support in this isolate. See | ||
@@ -175,5 +203,4 @@ `inspector-example.js` in this repository for an example of how to use this. | ||
| Isolate snapshots are a very useful feature if you intend to create several isolates running common | ||
| libraries between them. A snapshot serializes the entire v8 heap including parsed code, global | ||
| variables, and compiled code. Check out the examples section for tips on using this. | ||
| 🚨 You should not use this feature. It was never all that stable to begin with and has grown | ||
| increasingly unstable due to changes in v8. | ||
@@ -186,4 +213,2 @@ **Note**: `createSnapshot` does not provide the same isolate protection like the rest of | ||
| **Please note that versions of nodejs 10.4.0 - 10.9.0 may crash while using the snapshot feature. | ||
| ##### `isolate.compileScript(code)` *[Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise)* | ||
@@ -728,4 +753,4 @@ ##### `isolate.compileScriptSync(code)` | ||
| | [worker_threads](https://nodejs.org/api/worker_threads.html) | | | ✅ | ✅ | ✅ | ✅ | | ||
| | [vm2](https://github.com/patriksimek/vm2) | ✅ | | | | ✅ | ✅ | | ||
| | [vm2](https://github.com/patriksimek/vm2) | | | | | ✅ | ✅ | | ||
| | [tiny-worker](https://github.com/avoidwork/tiny-worker) | | | ✅ | | ✅ | | | ||
| | isolated-vm | ✅ | ✅ | ✅ | ✅ | | ✅ | |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Fixed alerts
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 1 instance in 1 package
Debug access
Supply chain riskUses debug, reflection and dynamic code execution features.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 2 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Number of lines in readme file
- increased by3.45%
750
- Number of low supply chain risk alerts
- decreased by-100%
0
- Number of medium supply chain risk alerts
- decreased by-25%
3
Worsened metrics
- Total package byte prevSize
- decreased by-12.77%
499448
- Dependency count
- increased byInfinity%
1
- Dev dependency count
- increased by100%
2
- Number of package files
- decreased by-43.68%
98
- Lines of code
- decreased by-74.25%
804
Dependency changes
+ Addedprebuild-install@^7.1.1
+ Addedbase64-js@1.5.1(transitive)
+ Addedbl@4.1.0(transitive)
+ Addedbuffer@5.7.1(transitive)
+ Addedchownr@1.1.4(transitive)
+ Addeddecompress-response@6.0.0(transitive)
+ Addeddeep-extend@0.6.0(transitive)
+ Addeddetect-libc@2.0.3(transitive)
+ Addedend-of-stream@1.4.4(transitive)
+ Addedexpand-template@2.0.3(transitive)
+ Addedfs-constants@1.0.0(transitive)
+ Addedgithub-from-package@0.0.0(transitive)
+ Addedieee754@1.2.1(transitive)
+ Addedinherits@2.0.4(transitive)
+ Addedini@1.3.8(transitive)
+ Addedmimic-response@3.1.0(transitive)
+ Addedminimist@1.2.8(transitive)
+ Addedmkdirp-classic@0.5.3(transitive)
+ Addednapi-build-utils@2.0.0(transitive)
+ Addednode-abi@3.74.0(transitive)
+ Addedonce@1.4.0(transitive)
+ Addedprebuild-install@7.1.3(transitive)
+ Addedpump@3.0.2(transitive)
+ Addedrc@1.2.8(transitive)
+ Addedreadable-stream@3.6.2(transitive)
+ Addedsafe-buffer@5.2.1(transitive)
+ Addedsemver@7.7.1(transitive)
+ Addedsimple-concat@1.0.1(transitive)
+ Addedsimple-get@4.0.1(transitive)
+ Addedstring_decoder@1.3.0(transitive)
+ Addedstrip-json-comments@2.0.1(transitive)
+ Addedtar-fs@2.1.2(transitive)
+ Addedtar-stream@2.2.0(transitive)
+ Addedtunnel-agent@0.6.0(transitive)
+ Addedutil-deprecate@1.0.2(transitive)
+ Addedwrappy@1.0.2(transitive)