ses - npm Package Compare versions

Comparing version 0.18.2 to 0.18.3

NEWS.md

 User-visible changes in SES:
 
+# v0.18.3 (2023-04-14)
+
+- New `__hardenTaming__: 'unsafe'` lockdown option to fake harden unsafely,
+  which can be used to improve performance for applications that are known to be
+  safe even with a no-op `harden`.
+- Finite deep stacks, using LRU budgets for depth of stacks an well as the
+  maximum number of weakly-held errors to annotate.
+- Add `%AsyncGenerator%.length` and `%AsyncFunctionPrototype%.length` `number`
+  properties to allowlist.
+
 # v0.18.2 (2023-03-07)
@@ -4,0 +14,0 @@

package.json

 {
   "name": "ses",
-  "version": "0.18.2",
+  "version": "0.18.3",
   "description": "Hardened JavaScript for Fearless Cooperation",
@@ -63,6 +63,5 @@ "keywords": [
   "devDependencies": {
-    "@endo/compartment-mapper": "^0.8.2",
-    "@endo/eslint-config": "^0.5.3",
-    "@endo/static-module-record": "^0.7.17",
-    "@endo/test262-runner": "^0.1.30",
+    "@endo/compartment-mapper": "^0.8.3",
+    "@endo/static-module-record": "^0.7.18",
+    "@endo/test262-runner": "^0.1.31",
     "ava": "^5.2.0",
@@ -73,9 +72,8 @@ "babel-eslint": "^10.0.3",
     "eslint-config-airbnb-base": "^14.0.0",
-    "eslint-config-prettier": "^6.9.0",
+    "eslint-config-prettier": "^8.8.0",
     "eslint-plugin-eslint-comments": "^3.1.2",
     "eslint-plugin-import": "^2.27.5",
-    "eslint-plugin-prettier": "^3.4.1",
-    "prettier": "^2.8.0",
+    "prettier": "^2.8.5",
     "sinon": "8.0.4",
-    "terser": "^4.8.0",
+    "terser": "^5.16.6",
     "tsd": "^0.24.1",
@@ -100,3 +98,3 @@ "typescript": "~4.9.5"
     "extends": [
-      "@endo"
+      "plugin:@endo/internal"
     ],
@@ -177,7 +175,2 @@ "rules": {
   },
-  "prettier": {
-    "arrowParens": "avoid",
-    "trailingComma": "all",
-    "singleQuote": true
-  },
   "ava": {
@@ -189,3 +182,3 @@ "files": [
   },
-  "gitHead": "0053227a37ee76ee8a3dce6059dd55140ed0ce6d"
+  "gitHead": "8141f58debaec420cbc2a7cb698e888566d430ba"
 }

src/commons.js

@@ -62,2 +62,4 @@ /* global globalThis */
   is,
+  isFrozen,
+  isSealed,
   isExtensible,
@@ -64,0 +66,0 @@ keys,

src/enablements.js

@@ -44,3 +44,3 @@ /**
  *     value associated with that property is not traversed. For
- * 	   example, {@code "Function.prototype.name"} leads to true,
+ *     example, {@code "Function.prototype.name"} leads to true,
  *     meaning that the {@code "name"} property of {@code
@@ -47,0 +47,0 @@ *     "Function.prototype"} should be repaired (which is needed

src/error/assert.js

@@ -39,2 +39,3 @@ // Copyright (C) 2019 Agoric, under Apache License 2.0
 import './internal-types.js';
+import { makeNoteLogArgsArrayKit } from './note-log-args.js';
 
@@ -255,13 +256,3 @@ // For our internal debugging purposes, uncomment
 
-/**
- * @type {WeakMap<Error, LogArgs[]>}
- *
- * Maps from an error to an array of log args, where each log args is
- * remembered as an annotation on that error. This can be used, for example,
- * to keep track of additional causes of the error. The elements of any
- * log args may include errors which are associated with further annotations.
- * An augmented console, like the causal console of `console.js`, could
- * then retrieve the graph of such annotations.
- */
-const hiddenNoteLogArgsArrays = new WeakMap();
+const { addLogArgs, takeLogArgsArray } = makeNoteLogArgsArrayKit();
 
@@ -300,8 +291,3 @@ /**
   } else {
-    const logArgsArray = weakmapGet(hiddenNoteLogArgsArrays, error);
-    if (logArgsArray !== undefined) {
-      arrayPush(logArgsArray, logArgs);
-    } else {
-      weakmapSet(hiddenNoteLogArgsArrays, error, [logArgs]);
-    }
+    addLogArgs(error, logArgs);
   }
@@ -345,4 +331,3 @@ };
   takeNoteLogArgsArray: (error, callback) => {
-    const result = weakmapGet(hiddenNoteLogArgsArrays, error);
-    weakmapDelete(hiddenNoteLogArgsArrays, error);
+    const result = takeLogArgsArray(error);
     if (callback !== undefined) {
@@ -349,0 +334,0 @@ const callbacks = weakmapGet(hiddenNoteCallbackArrays, error);

src/lockdown-shim.js

@@ -55,2 +55,3 @@ // Copyright (C) 2018 Agoric
 import { makeCompartmentConstructor } from './compartment-shim.js';
+import { tameHarden } from './tame-harden.js';
 
@@ -71,3 +72,3 @@ /** @typedef {import('../types.js').LockdownOptions} LockdownOptions */
  */
-const harden = makeHardener();
+const safeHarden = makeHardener();
 
@@ -179,2 +180,3 @@ /**
     ),
+    __hardenTaming__ = getenv('LOCKDOWN_HARDEN_TAMING', 'safe'),
     dateTaming = 'safe', // deprecated
@@ -270,3 +272,4 @@ mathTaming = 'safe', // deprecated
 
-  addIntrinsics({ harden });
+  const tamedHarden = tameHarden(safeHarden, __hardenTaming__);
+  addIntrinsics({ harden: tamedHarden });
 
@@ -384,3 +387,3 @@ addIntrinsics(tameFunctionConstructors());
     // must be the operation that modifies the intrinsics.
-    harden(intrinsics);
+    tamedHarden(intrinsics);
 
@@ -395,3 +398,3 @@ // Reveal harden after lockdown.
     // @ts-ignore harden not yet recognized on globalThis.
-    globalThis.harden = harden;
+    globalThis.harden = tamedHarden;
 
@@ -398,0 +401,0 @@ // Returning `true` indicates that this is a JS to SES transition.

src/strict-scope-terminator.js

@@ -60,5 +60,4 @@ import {
 
-  // Chip has seen this happen single stepping under the Chrome/v8 debugger.
-  // TODO record how to reliably reproduce, and to test if this fix helps.
-  // TODO report as bug to v8 or Chrome, and record issue link here.
+  // See https://github.com/endojs/endo/issues/1510
+  // TODO: report as bug to v8 or Chrome, and record issue link here.
   getOwnPropertyDescriptor(_target, prop) {
@@ -65,0 +64,0 @@ // Coerce with `String` in case prop is a symbol.

src/whitelist.js

@@ -1224,2 +1224,6 @@ /* eslint-disable no-restricted-globals */
     prototype: '%AsyncGeneratorPrototype%',
+    // length prop added here for React Native jsc-android
+    // https://github.com/endojs/endo/issues/660
+    // https://github.com/react-native-community/jsc-android-buildscripts/issues/181
+    length: 'number',
     '@@toStringTag': 'string',
@@ -1307,2 +1311,6 @@ },
     constructor: '%InertAsyncFunction%',
+    // length prop added here for React Native jsc-android
+    // https://github.com/endojs/endo/issues/660
+    // https://github.com/react-native-community/jsc-android-buildscripts/issues/181
+    length: 'number',
     '@@toStringTag': 'string',
@@ -1373,5 +1381,5 @@ },
   lockdown: fn,
-  harden: fn,
+  harden: { ...fn, isFake: 'boolean' },
 
   '%InitialGetStackString%': fn,
 };

types.d.ts

@@ -36,2 +36,3 @@ /**
   domainTaming?: 'safe' | 'unsafe';
+  __hardenTaming__?: 'safe' | 'unsafe';
 }
@@ -38,0 +39,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

2950860

increased by2.7%

Dev dependency count

16

decreased by-11.11%

Number of package files

67

increased by3.08%

Lines of code

63129

increased by3.47%

Number of medium supply chain risk alerts

1

decreased by-50%

No dependency changes