ses - npm Package Compare versions

Comparing version 0.18.0 to 0.18.1

index.d.ts

@@ -67,5 +67,6 @@ /**
 export interface RedirectStaticModuleInterface {
-  record: FinalStaticModuleType;
   specifier: string;
+  record?: FinalStaticModuleType;
   importMeta?: any;
+  compartment?: Compartment;
 }
@@ -72,0 +73,0 @@

NEWS.md

 User-visible changes in SES:
 
+# v0.18.1 (2022-12-23)
+
+- Fixes a bug for SES initialization in a no-unsafe-eval
+  Content-Security-Policy.
+- Fixes a bug where reexport of multiple named exports of the same name was
+  causing them to be overridden by the last value. Now named exports are 
+  handled in the same manner as `export *`.
+- Allows Compatment `importHook` implementations to return aliases: module
+  descriptors that refer to a module by its specifier in the same or a
+  specified compartment, without providing a static module record (module
+  source).
+
 # v0.18.0 (2022-11-14)
@@ -4,0 +16,0 @@

package.json

 {
   "name": "ses",
-  "version": "0.18.0",
+  "version": "0.18.1",
   "description": "Hardened JavaScript for Fearless Cooperation",
@@ -62,7 +62,7 @@ "keywords": [
   "devDependencies": {
-    "@endo/compartment-mapper": "^0.8.0",
-    "@endo/eslint-config": "^0.5.1",
-    "@endo/static-module-record": "^0.7.15",
-    "@endo/test262-runner": "^0.1.28",
-    "ava": "^3.12.1",
+    "@endo/compartment-mapper": "^0.8.1",
+    "@endo/eslint-config": "^0.5.2",
+    "@endo/static-module-record": "^0.7.16",
+    "@endo/test262-runner": "^0.1.29",
+    "ava": "^5.1.0",
     "babel-eslint": "^10.0.3",
@@ -76,3 +76,3 @@ "c8": "^7.7.3",
     "eslint-plugin-prettier": "^3.4.1",
-    "prettier": "^1.19.1",
+    "prettier": "^2.8.0",
     "sinon": "8.0.4",
@@ -175,2 +175,3 @@ "terser": "^4.8.0",
   "prettier": {
+    "arrowParens": "avoid",
     "trailingComma": "all",
@@ -185,3 +186,3 @@ "singleQuote": true
   },
-  "gitHead": "da16a94856482e36296b7cae16d715aa63344928"
+  "gitHead": "ab8d64ae6fc9c628a2d1c02d16bf9ef249f5c8dc"
 }

README.md

@@ -42,3 +42,3 @@ # SES
 
-[![Primer on Hardened JavaScript](https://img.youtube.com/vi/RoodZSIL-DE/0.jpg)](https://www.youtube.com/watch?v=RoodZSIL-DE)
+[![Primer on Hardened JavaScript](https://img.youtube.com/vi/RZ7bBIU8DRc/0.jpg)](https://www.youtube.com/watch?v=RZ7bBIU8DRc)
 
@@ -45,0 +45,0 @@ _Don't add Security, Remove Insecurity_, Mark Miller:

src/compartment-evaluate.js

@@ -16,6 +16,4 @@ /// <reference types="ses">
 export const provideCompartmentEvaluator = (compartmentFields, options) => {
-  const {
-    sloppyGlobalsMode = false,
-    __moduleShimLexicals__ = undefined,
-  } = options;
+  const { sloppyGlobalsMode = false, __moduleShimLexicals__ = undefined } =
+    options;
 
@@ -22,0 +20,0 @@ let safeEvaluate;

src/error/console.js

@@ -177,8 +177,4 @@ // @ts-check
 const makeCausalConsole = (baseConsole, loggedErrorHandler) => {
-  const {
-    getStackString,
-    tagError,
-    takeMessageLogArgs,
-    takeNoteLogArgsArray,
-  } = loggedErrorHandler;
+  const { getStackString, tagError, takeMessageLogArgs, takeNoteLogArgsArray } =
+    loggedErrorHandler;
 
@@ -185,0 +181,0 @@ /**

src/error/types.js

@@ -15,3 +15,3 @@ // @ts-check
 /**
- * @typedef {Object} AssertMakeErrorOptions
+ * @typedef {object} AssertMakeErrorOptions
  * @property {string=} errorName
@@ -63,4 +63,4 @@ */
 // Type all the overloads of the assertTypeof function.
-// There may eventually be a better way to do this, but they break with
-// Typescript 4.0.
+// There may eventually be a better way to do this, but
+// thems the breaks with Typescript 4.0.
 /**
@@ -72,3 +72,5 @@ * @callback AssertTypeofBigint
  * @returns {asserts specimen is bigint}
- *
+ */
+
+/**
  * @callback AssertTypeofBoolean
@@ -79,3 +81,5 @@ * @param {any} specimen
  * @returns {asserts specimen is boolean}
- *
+ */
+
+/**
  * @callback AssertTypeofFunction
@@ -86,3 +90,5 @@ * @param {any} specimen
  * @returns {asserts specimen is Function}
- *
+ */
+
+/**
  * @callback AssertTypeofNumber
@@ -93,3 +99,5 @@ * @param {any} specimen
  * @returns {asserts specimen is number}
- *
+ */
+
+/**
  * @callback AssertTypeofObject
@@ -100,3 +108,5 @@ * @param {any} specimen
  * @returns {asserts specimen is Record<any, any> | null}
- *
+ */
+
+/**
  * @callback AssertTypeofString
@@ -107,3 +117,5 @@ * @param {any} specimen
  * @returns {asserts specimen is string}
- *
+ */
+
+/**
  * @callback AssertTypeofSymbol
@@ -114,3 +126,5 @@ * @param {any} specimen
  * @returns {asserts specimen is symbol}
- *
+ */
+
+/**
  * @callback AssertTypeofUndefined
@@ -169,3 +183,3 @@ * @param {any} specimen
 /**
- * @typedef {Object} StringablePayload
+ * @typedef {object} StringablePayload
  * Holds the payload passed to quote so that its printed form is visible.
@@ -172,0 +186,0 @@ * @property {() => string} toString How to print the payload

src/get-anonymous-intrinsics.js

@@ -48,4 +48,6 @@ import {
 
-  const ThrowTypeError = getOwnPropertyDescriptor(makeArguments(), 'callee')
-    .get;
+  const ThrowTypeError = getOwnPropertyDescriptor(
+    makeArguments(),
+    'callee',
+  ).get;
 
@@ -52,0 +54,0 @@ // 21.1.5.2 The %StringIteratorPrototype% Object

src/lockdown-shim.js

@@ -154,6 +154,4 @@ // Copyright (C) 2018 Agoric
 
-  const {
-    getEnvironmentOption: getenv,
-    getCapturedEnvironmentOptionNames,
-  } = makeEnvironmentCaptor(globalThis);
+  const { getEnvironmentOption: getenv, getCapturedEnvironmentOptionNames } =
+    makeEnvironmentCaptor(globalThis);
 
@@ -264,7 +262,4 @@ const {
 
-  const {
-    addIntrinsics,
-    completePrototypes,
-    finalIntrinsics,
-  } = makeIntrinsicsCollector();
+  const { addIntrinsics, completePrototypes, finalIntrinsics } =
+    makeIntrinsicsCollector();
 
@@ -271,0 +266,0 @@ addIntrinsics({ harden });

src/module-instance.js

@@ -137,2 +137,3 @@ import { assert } from './error/assert.js';
     __liveExportMap__: liveExportMap = {},
+    __reexportMap__: reexportMap = {},
     __needsImportMeta__: needsImportMeta = false,
@@ -391,16 +392,25 @@ } = staticModuleRecord;
         // Make all these imports candidates.
-        for (const [importName, importNotify] of entries(importNotifiers)) {
-          if (candidateAll[importName] === undefined) {
-            candidateAll[importName] = importNotify;
+        // Note names don't change in reexporting all
+        for (const [importAndExportName, importNotify] of entries(
+          importNotifiers,
+        )) {
+          if (candidateAll[importAndExportName] === undefined) {
+            candidateAll[importAndExportName] = importNotify;
           } else {
             // Already a candidate: remove ambiguity.
-            candidateAll[importName] = false;
+            candidateAll[importAndExportName] = false;
           }
         }
       }
+      if (reexportMap[specifier]) {
+        // Make named reexports candidates too.
+        for (const [localName, exportedName] of reexportMap[specifier]) {
+          candidateAll[exportedName] = importNotifiers[localName];
+        }
+      }
     }
 
-    for (const [importName, notify] of entries(candidateAll)) {
-      if (!notifiers[importName] && notify !== false) {
-        notifiers[importName] = notify;
+    for (const [exportName, notify] of entries(candidateAll)) {
+      if (!notifiers[exportName] && notify !== false) {
+        notifiers[exportName] = notify;
 
@@ -411,3 +421,3 @@ // exported live binding state
         notify(update);
-        exportsProps[importName] = {
+        exportsProps[exportName] = {
           get() {
@@ -414,0 +424,0 @@ return value;

src/module-link.js

@@ -123,8 +123,4 @@ /* eslint-disable no-underscore-dangle */
 ) => {
-  const {
-    compartment,
-    moduleSpecifier,
-    resolvedImports,
-    staticModuleRecord,
-  } = moduleRecord;
+  const { compartment, moduleSpecifier, resolvedImports, staticModuleRecord } =
+    moduleRecord;
   const { instances } = weakmapGet(compartmentPrivateFields, compartment);
@@ -131,0 +127,0 @@

src/module-load.js

@@ -57,3 +57,3 @@ // For brevity, in this file, as in module-link.js, the term "moduleRecord"
 
-const loadRecord = async (
+const loadRecord = (
   compartmentPrivateFields,
@@ -179,23 +179,60 @@ moduleAliases,
 
-  if (staticModuleRecord.record !== undefined) {
-    const {
-      compartment: aliasCompartment = compartment,
-      specifier: aliasSpecifier = moduleSpecifier,
-      record: aliasModuleRecord,
-      importMeta,
-    } = staticModuleRecord;
+  // check if record is a RedirectStaticModuleInterface
+  if (staticModuleRecord.specifier !== undefined) {
+    // check if this redirect with an explicit record
+    if (staticModuleRecord.record !== undefined) {
+      // ensure expected record shape
+      if (staticModuleRecord.compartment !== undefined) {
+        throw new TypeError(
+          'Cannot redirect to an explicit record with a specified compartment',
+        );
+      }
+      const {
+        compartment: aliasCompartment = compartment,
+        specifier: aliasSpecifier = moduleSpecifier,
+        record: aliasModuleRecord,
+        importMeta,
+      } = staticModuleRecord;
 
-    const aliasRecord = await loadRecord(
-      compartmentPrivateFields,
-      moduleAliases,
-      aliasCompartment,
-      aliasSpecifier,
-      aliasModuleRecord,
-      pendingJobs,
-      moduleLoads,
-      errors,
-      importMeta,
+      const aliasRecord = loadRecord(
+        compartmentPrivateFields,
+        moduleAliases,
+        aliasCompartment,
+        aliasSpecifier,
+        aliasModuleRecord,
+        pendingJobs,
+        moduleLoads,
+        errors,
+        importMeta,
+      );
+      mapSet(moduleRecords, moduleSpecifier, aliasRecord);
+      return aliasRecord;
+    }
+
+    // check if this redirect with an explicit compartment
+    if (staticModuleRecord.compartment !== undefined) {
+      // ensure expected record shape
+      if (staticModuleRecord.importMeta !== undefined) {
+        throw new TypeError(
+          'Cannot redirect to an implicit record with a specified importMeta',
+        );
+      }
+      // Behold: recursion.
+      // eslint-disable-next-line no-use-before-define
+      const aliasRecord = await memoizedLoadWithErrorAnnotation(
+        compartmentPrivateFields,
+        moduleAliases,
+        staticModuleRecord.compartment,
+        staticModuleRecord.specifier,
+        pendingJobs,
+        moduleLoads,
+        errors,
+      );
+      mapSet(moduleRecords, moduleSpecifier, aliasRecord);
+      return aliasRecord;
+    }
+
+    throw new TypeError(
+      'Unnexpected RedirectStaticModuleInterface record shape',
     );
-    mapSet(moduleRecords, moduleSpecifier, aliasRecord);
-    return aliasRecord;
   }
@@ -202,0 +239,0 @@

src/tame-function-constructors.js

@@ -8,2 +8,3 @@ import {
   setPrototypeOf,
+  freeze,
 } from './commons.js';
@@ -53,3 +54,3 @@
     // Throws, no need to patch.
-    return harden({});
+    return freeze({});
   }
@@ -87,3 +88,3 @@
     // eslint-disable-next-line func-names
-    const InertConstructor = function() {
+    const InertConstructor = function () {
       throw new TypeError(
@@ -90,0 +91,0 @@ 'Function.prototype.constructor is not a valid constructor.',

src/tame-math-object.js

@@ -16,5 +16,4 @@ import {
 
-  const { random: _, ...otherDescriptors } = getOwnPropertyDescriptors(
-    originalMath,
-  );
+  const { random: _, ...otherDescriptors } =
+    getOwnPropertyDescriptors(originalMath);
 
@@ -21,0 +20,0 @@ const sharedMath = create(objectPrototype, otherDescriptors);

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Lines of code

60841

increased by0.43%

Worsened metrics

Total package byte prevSize

2853971

decreased by-0.94%

Number of package files

64

decreased by-1.54%

No dependency changes