lavamoat-core - npm Package Compare versions

Comparing version 1.1.3 to 2.0.0

package.json

 {
   "name": "lavamoat-core",
-  "version": "1.1.3",
+  "version": "2.0.0",
   "description": "LavaMoat kernel and utils",
@@ -52,3 +52,3 @@ "main": "src/index.js",
   },
-  "gitHead": "c8fd2a5dea15e236bceebd59296ed56b5f02a9ad"
+  "gitHead": "308a4822fb7629d5ef1e3758c691fec535d9c501"
 }

src/kernelCoreTemplate.js

@@ -5,3 +5,3 @@ (function(){
 
-  function createKernel ({ realm, globalRef, debugMode, unsafeEvalWithEndowments, lavamoatConfig, loadModuleData, getRelativeModuleId }) {
+  function createKernel ({ realm, globalRef, debugMode, unsafeEvalWithEndowments, lavamoatConfig, loadModuleData, getRelativeModuleId, prepareModuleInitializerArgs }) {
     // create SES-wrapped LavaMoat kernel
@@ -17,2 +17,3 @@ const makeKernel = realm.evaluate(`(${unsafeCreateKernel})`, { console })
       getRelativeModuleId,
+      prepareModuleInitializerArgs,
     })
@@ -33,2 +34,3 @@
     getRelativeModuleId,
+    prepareModuleInitializerArgs,
   }) {
@@ -143,24 +145,6 @@ // "templateRequire" calls are inlined in "generatePrelude"
 
-      // browserify goop:
-      // this "modules" interface is exposed to the browserify moduleInitializer
-      // https://github.com/browserify/browser-pack/blob/cd0bd31f8c110e19a80429019b64e887b1a82b2b/prelude.js#L38
-      // browserify's browser-resolve uses "arguments[4]" to do direct module initializations
-      // browserify seems to do this when module references are redirected by the "browser" field
-      // this proxy shims this behavior
-      // TODO: would be better to just fix this by removing the indirection (maybe in https://github.com/browserify/module-deps?)
-      // though here and in the original browser-pack prelude it has a side effect that it is re-instantiated from the original module (no shared closure state)
-      const directModuleInstantiationInterface = new Proxy({}, {
-        get (_, targetModuleId) {
-          const fakeModuleDefinition = [fakeModuleInitializer]
-          return fakeModuleDefinition
+      const initializerArgs = prepareModuleInitializerArgs(requireRelativeWithContext, moduleObj, moduleData)
 
-          function fakeModuleInitializer () {
-            const targetModuleExports = requireRelativeWithContext(targetModuleId)
-            moduleObj.exports = targetModuleExports
-          }
-        }
-      })
-
       // initialize the module with the correct context
-      moduleInitializer.call(moduleObj.exports, requireRelativeWithContext, moduleObj, moduleObj.exports, null, directModuleInstantiationInterface)
+      moduleInitializer.apply(moduleObj.exports, initializerArgs)
 
@@ -293,5 +277,4 @@ // configure membrane defense
 
-    //# sourceURL=Lavamoat/core/kernel
   }
 
 })()

src/kernelTemplate.js

@@ -7,3 +7,3 @@ // LavaMoat Prelude
 
-  function createKernel ({ lavamoatConfig, loadModuleData, getRelativeModuleId }) {
+  function createKernel ({ lavamoatConfig, loadModuleData, getRelativeModuleId, prepareModuleInitializerArgs }) {
     const debugMode = __lavamoatDebugMode__
@@ -34,2 +34,3 @@
       getRelativeModuleId,
+      prepareModuleInitializerArgs,
       realm,
@@ -36,0 +37,0 @@ unsafeEvalWithEndowments,

src/preludeTemplate.js

@@ -37,2 +37,3 @@ // LavaMoat Prelude
     getRelativeModuleId,
+    prepareModuleInitializerArgs,
   })
@@ -106,2 +107,30 @@
 
+  function prepareModuleInitializerArgs (requireRelativeWithContext, moduleObj, moduleData) {
+    const require = requireRelativeWithContext
+    const module = moduleObj
+    const exports = moduleObj.exports
+
+    // browserify goop:
+    // this "modules" interface is exposed to the browserify moduleInitializer
+    // https://github.com/browserify/browser-pack/blob/cd0bd31f8c110e19a80429019b64e887b1a82b2b/prelude.js#L38
+    // browserify's browser-resolve uses "arguments[4]" to do direct module initializations
+    // browserify seems to do this when module references are redirected by the "browser" field
+    // this proxy shims this behavior
+    // this is utilized by browserify's dedupe feature
+    // though in the original browser-pack prelude it has a side effect that it is re-instantiated from the original module (no shared closure state)
+    const directModuleInstantiationInterface = new Proxy({}, {
+      get (_, targetModuleId) {
+        const fakeModuleDefinition = [fakeModuleInitializer]
+        return fakeModuleDefinition
+
+        function fakeModuleInitializer () {
+          const targetModuleExports = requireRelativeWithContext(targetModuleId)
+          moduleObj.exports = targetModuleExports
+        }
+      }
+    })
+
+    return [require, module, exports, null, directModuleInstantiationInterface]
+  }
+
 })()

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

256313

increased by0.14%

Lines of code

4678

increased by0.21%

Worsened metrics

Number of low supply chain risk alerts

7

increased by16.67%

Number of medium supply chain risk alerts

4

increased by33.33%

No dependency changes