ses - npm Package Compare versions

Comparing version 0.6.5 to 0.7.0

package.json

 {
   "name": "ses",
-  "version": "0.6.5",
+  "version": "0.7.0",
   "description": "Secure ECMAScript",
-  "main": "dist/ses.cjs.js",
-  "module": "dist/ses.esm.js",
-  "browser": "dist/ses.umd.js",
+  "author": "Agoric",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "./src/lockdown-shim.js",
+  "exports": {
+    "import": "./src/lockdown-shim.js",
+    "require": "./dist/ses.cjs.js",
+    "browser": "./dist/ses.umd.js"
+  },
   "scripts": {
-    "test": "node scripts/build-intermediate.js && tape -r esm test/**/*.js",
-    "just-test": "tape -r esm test/**/*.js",
-    "build-intermediate": "node scripts/build-intermediate.js",
-    "build": "node scripts/build-intermediate.js && rollup -c",
-    "lint-fix": "eslint --fix '**/*.{js,jsx}'",
-    "lint-check": "eslint '**/*.{js,jsx}'"
+    "depcheck": "depcheck",
+    "lint": "eslint '**/*.js'",
+    "lint-fix": "eslint --fix '**/*.js'",
+    "test": "tap --no-esm --no-coverage --reporter spec 'test/**/*.test.js'",
+    "test262": "tap --no-esm --no-coverage --reporter spec test262/*.js",
+    "build": "rollup --config rollup.config.js",
+    "demo": "http-server -o /demos"
   },
+  "dependencies": {
+    "@agoric/make-hardener": "^0.0.6"
+  },
   "devDependencies": {
-    "@agoric/nat": "^2.0.0",
-    "eslint": "^6.4.0",
-    "eslint-config-airbnb": "^18.0.0",
-    "eslint-config-prettier": "^6.3.0",
-    "eslint-plugin-import": "^2.18.2",
-    "eslint-plugin-jsx-a11y": "^6.2.1",
-    "eslint-plugin-prettier": "^3.1.1",
-    "eslint-plugin-react": "^7.14.3",
-    "prettier": "^1.17.1",
-    "rollup": "^1.21.4",
-    "rollup-plugin-node-resolve": "^5.2.0",
-    "tape": "^4.9.2"
+    "@agoric/test262-runner": "~0.1.0",
+    "@rollup/plugin-node-resolve": "^6.1.0",
+    "babel-eslint": "^10.0.3",
+    "eslint": "^6.8.0",
+    "eslint-config-airbnb-base": "^14.0.0",
+    "eslint-config-prettier": "^6.9.0",
+    "eslint-plugin-eslint-comments": "^3.1.2",
+    "eslint-plugin-import": "^2.19.1",
+    "eslint-plugin-prettier": "^3.1.2",
+    "http-server": "^0.12.1",
+    "prettier": "^1.19.1",
+    "rollup-plugin-terser": "^5.1.3",
+    "sinon": "8.0.4",
+    "tap": "14.10.5",
+    "tape": "4.12.1"
   },
-  "dependencies": {
-    "@agoric/make-hardener": "^0.0.6",
-    "esm": "^3.2.25",
-    "realms-shim": "^1.2.2"
-  },
   "keywords": [
@@ -41,15 +49,14 @@ "confinement",
   ],
-  "files": [
-    "dist"
-  ],
+  "homepage": "https://github.com/Agoric/SES#readme",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/Agoric/SES.git"
+    "url": "git+https://github.com/Agoric/ses-shim.git"
   },
-  "author": "Agoric",
-  "license": "Apache-2.0",
   "bugs": {
-    "url": "https://github.com/Agoric/SES/issues"
+    "url": "https://github.com/Agoric/ses-shim/issues"
   },
-  "homepage": "https://github.com/Agoric/SES#readme"
+  "files": [
+    "dist",
+    "LICENSE*"
+  ]
 }

README.md

 # Secure EcmaScript (SES)
 
-[![Build Status][ci-svg]][ci-url]
-[![dependency status][deps-svg]][deps-url]
-[![dev dependency status][dev-deps-svg]][dev-deps-url]
-[![License][license-image]][license-url]
-
 Secure EcmaScript (SES) is a frozen environment for running EcmaScript
@@ -20,5 +15,5 @@ (Javascript) 'strict' mode programs with no ambient authority in their global
 flavors of confined EcmaScript execution. And visit
-https://rawgit.com/Agoric/SES/master/demo/ for a demo.
+https://rawgit.com/Agoric/ses-shim/master/demo/ for a demo.
 
-Derived from the Caja project, https://github.com/google/caja/wiki/SES .
+Derived from the Caja project, https://github.com/google/caja/wiki/SES.
 
@@ -28,36 +23,65 @@ Still under development: do not use for production systems yet, there are
 
-Incorporates (as a dependency) the [Realms shim](https://github.com/Agoric/realms-shim), which is a TC39 proposal spec here:
-https://github.com/tc39/proposal-realms .
+## Install
 
-### Install
+```sh
+npm install ses
+```
 
-`npm install`
-`npm run build`
+## Usage
 
-Run the test suite
+### Module
 
-`npm test`
+This example locks down the current realm, turning it into a starting
+compartment.
+Within a compartment, there is a `Compartment` constructor that conveys
+"endownments" into the new compartment's global scope, and a `harden` method
+that that object and any object reachable from its surface.
+The compartment can import modules and evaluate programs.
 
-### Bug Disclosure
+```js
+import {lockdown} from "ses";
 
+lockdown();
+
+const c = new Compartment({
+    print: harden(console.log),
+});
+
+c.evaluate(`
+    print("Hello! Hello?");
+`);
+```
+
+The new compartment has a different global object than the start compartment.
+The global object is initially mutable.
+Locking down the start compartment hardened many of the intrinsics in global
+scope.
+After lockdown, no compartment can tamper with these intrinsics.
+Many of these intrinsics are identical in the new compartment.
+
+```js
+const c = new Compartment();
+c.global === global; // false
+c.global.JSON === JSON; // true
+```
+
+The property holds among any other compartments.
+Each has a unique, initially mutable, global object.
+Many intrinsics are shared.
+
+```js
+const c1 = new Compartment();
+const c2 = new Compartment();
+c1.global === c2.global; // false
+c1.global.JSON === c2.global.JSON; // true
+```
+
+## Bug Disclosure
+
 Please help us practice coordinated security bug disclosure, by using the
 instructions in
-[SECURITY.md](https://github.com/Agoric/SES/blob/master/SECURITY.md)
+[SECURITY.md](https://github.com/Agoric/ses-shim/blob/master/SECURITY.md)
 to report security-sensitive bugs privately.
 
 For non-security bugs, please use the [regular Issues
-page](https://github.com/Agoric/SES/issues).
-
-
-<!-- [![Coverage Status][coveralls-svg]][coveralls-url] -->
-
-[ci-svg]: https://circleci.com/gh/Agoric/SES.svg?style=svg
-[ci-url]: https://circleci.com/gh/Agoric/SES
-[coveralls-svg]: https://coveralls.io/repos/github/Agoric/SES/badge.svg
-[coveralls-url]: https://coveralls.io/github/Agoric/SES
-[deps-svg]: https://david-dm.org/Agoric/SES.svg
-[deps-url]: https://david-dm.org/Agoric/SES
-[dev-deps-svg]: https://david-dm.org/Agoric/SES/dev-status.svg
-[dev-deps-url]: https://david-dm.org/Agoric/SES?type=dev
-[license-image]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
-[license-url]: shim/LICENSE
+page](https://github.com/Agoric/ses-shim/issues).

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Mixed license

License

(Experimental) Package contains multiple licenses.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 2 instances in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Improved metrics

Dependency count

1

decreased by-66.67%

Number of package files

11

increased by83.33%

Lines of code

11445

increased by6.04%

Number of lines in readme file

86

increased by38.71%

Number of low supply chain risk alerts

0

decreased by-100%

Number of medium supply chain risk alerts

0

decreased by-100%

Is type module

Yes

Worsened metrics

Total package byte prevSize

440927

decreased by-30.6%

Dev dependency count

15

increased by25%

Number of low license alerts

1

increased byInfinity%

Dependency changes

• - Removedesm@^3.2.25

• - Removedrealms-shim@^1.2.2

• - Removedesm@3.2.25(transitive)

• - Removedrealms-shim@1.2.2(transitive)