ses - npm Package Compare versions

Comparing version 0.18.8 to 1.0.0

package.json

 {
   "name": "ses",
-  "version": "0.18.8",
+  "version": "1.0.0",
   "description": "Hardened JavaScript for Fearless Cooperation",
@@ -38,2 +38,3 @@ "keywords": [
     ".": {
+      "types": "./types.d.ts",
       "import": "./index.js",
@@ -43,2 +44,3 @@ "require": "./dist/ses.cjs"
     "./lockdown": {
+      "types": "./types.d.ts",
       "import": "./index.js",
@@ -65,7 +67,7 @@ "require": "./dist/ses.cjs"
   "dependencies": {
-    "@endo/env-options": "^0.1.4"
+    "@endo/env-options": "^1.0.0"
   },
   "devDependencies": {
-    "@endo/compartment-mapper": "^0.9.2",
-    "@endo/static-module-record": "^0.8.2",
+    "@endo/compartment-mapper": "^1.0.0",
+    "@endo/static-module-record": "^1.0.0",
     "@endo/test262-runner": "^0.1.32",
@@ -80,3 +82,3 @@ "ava": "^5.3.0",
     "eslint-plugin-eslint-comments": "^3.1.2",
-    "eslint-plugin-import": "^2.27.5",
+    "eslint-plugin-import": "^2.29.0",
     "prettier": "^3.0.0",
@@ -186,3 +188,6 @@ "sinon": "^15.1.0",
   },
-  "gitHead": "9c779d317c4b02133172dbe142c5b2d1727efc49"
+  "typeCoverage": {
+    "atLeast": 81.13
+  },
+  "gitHead": "6aa22009bf8128575c446aebceb0f9a01459d165"
 }

src/enablements.js

@@ -196,3 +196,3 @@ /**
    * at As explained at
-   * https://github.com/endojs/endo/blob/master/packages/ses/lockdown-options.md#overridetaming-options
+   * https://github.com/endojs/endo/blob/master/packages/ses/docs/lockdown.md#overridetaming-options
    * Open the triangles at the bottom of that section.
@@ -199,0 +199,0 @@ */

src/error/console.js

@@ -177,2 +177,6 @@ // @ts-check
 const makeCausalConsole = (baseConsole, loggedErrorHandler) => {
+  if (!baseConsole) {
+    return undefined;
+  }
+
   const { getStackString, tagError, takeMessageLogArgs, takeNoteLogArgsArray } =
@@ -179,0 +183,0 @@ loggedErrorHandler;

src/error/internal-types.js

@@ -86,5 +86,5 @@ // @ts-check
  *
- * @param {VirtualConsole} baseConsole
+ * @param {VirtualConsole | undefined} baseConsole
  * @param {LoggedErrorHandler} loggedErrorHandler
- * @returns {VirtualConsole}
+ * @returns {VirtualConsole | undefined}
  */

src/error/tame-console.js

 // @ts-check
 
-import { TypeError, globalThis } from '../commons.js';
+import {
+  TypeError,
+  apply,
+  defineProperty,
+  freeze,
+  globalThis,
+} from '../commons.js';
 import { loggedErrorHandler as defaultHandler } from './assert.js';
@@ -10,5 +16,32 @@ import { makeCausalConsole } from './console.js';
 
+const wrapLogger = (logger, thisArg) =>
+  freeze((...args) => apply(logger, thisArg, args));
+
 // eslint-disable-next-line no-restricted-globals
-const originalConsole = console;
+const originalConsole = /** @type {VirtualConsole} */ (
+  // eslint-disable-next-line no-nested-ternary
+  typeof console !== 'undefined'
+    ? console
+    : typeof print === 'function'
+    ? // Make a good-enough console for eshost (including only functions that
+      // log at a specific level with no special argument interpretation).
+      // https://console.spec.whatwg.org/#logging
+      (p => freeze({ debug: p, log: p, info: p, warn: p, error: p }))(
+        // eslint-disable-next-line no-undef
+        wrapLogger(print),
+      )
+    : undefined
+);
 
+// Upgrade a log-only console (as in `eshost -h SpiderMonkey`).
+if (originalConsole && originalConsole.log) {
+  for (const methodName of ['warn', 'error']) {
+    if (!originalConsole[methodName]) {
+      defineProperty(originalConsole, methodName, {
+        value: wrapLogger(originalConsole.log, originalConsole),
+      });
+    }
+  }
+}
+
 /**
@@ -44,6 +77,7 @@ * Wrap console unless suppressed.
   }
-  const ourConsole =
+  const ourConsole = /** @type {VirtualConsole} */ (
     consoleTaming === 'unsafe'
       ? originalConsole
-      : makeCausalConsole(originalConsole, loggedErrorHandler);
+      : makeCausalConsole(originalConsole, loggedErrorHandler)
+  );
 
@@ -50,0 +84,0 @@ // Attach platform-specific error traps such that any error that gets thrown

src/error/types.js

@@ -7,3 +7,3 @@ // @ts-check
  *
- * @param {*} flag The truthy/falsy value
+ * @param {any} flag The truthy/falsy value
  * @param {Details=} optDetails The details to throw
@@ -55,4 +55,4 @@ * @param {ErrorConstructor=} ErrorConstructor An optional alternate error
  * Assert that two values must be `Object.is`.
- * @param {*} actual The value we received
- * @param {*} expected What we wanted
+ * @param {any} actual The value we received
+ * @param {any} expected What we wanted
  * @param {Details=} optDetails The details to throw
@@ -206,3 +206,3 @@ * @param {ErrorConstructor=} ErrorConstructor An optional alternate error
  * @callback AssertQuote
- * @param {*} payload What to declassify
+ * @param {any} payload What to declassify
  * @param {(string|number)=} spaces
@@ -209,0 +209,0 @@ * @returns {StringablePayload} The declassified payload

src/global-object.js

@@ -113,6 +113,8 @@ import {
 
-  perCompartmentGlobals.Compartment = makeCompartmentConstructor(
-    makeCompartmentConstructor,
-    intrinsics,
-    markVirtualizedNativeFunction,
+  perCompartmentGlobals.Compartment = freeze(
+    makeCompartmentConstructor(
+      makeCompartmentConstructor,
+      intrinsics,
+      markVirtualizedNativeFunction,
+    ),
   );
@@ -149,3 +151,3 @@
   {
-    const f = makeEvalFunction(evaluator);
+    const f = freeze(makeEvalFunction(evaluator));
     markVirtualizedNativeFunction(f);
@@ -160,3 +162,3 @@ defineProperty(globalObject, 'eval', {
   {
-    const f = makeFunctionConstructor(evaluator);
+    const f = freeze(makeFunctionConstructor(evaluator));
     markVirtualizedNativeFunction(f);
@@ -163,0 +165,0 @@ defineProperty(globalObject, 'Function', {

src/lockdown.js

@@ -28,2 +28,3 @@ // Copyright (C) 2018 Agoric
   noEvalEvaluate,
+  getOwnPropertyNames,
 } from './commons.js';
@@ -155,3 +156,3 @@ import { makeHardener } from './make-hardener.js';
   // is useful. See
-  // [`stackFiltering` options](https://github.com/Agoric/SES-shim/blob/master/packages/ses/lockdown-options.md#stackfiltering-options)
+  // [`stackFiltering` options](https://github.com/Agoric/SES-shim/blob/master/packages/ses/docs/lockdown.md#stackfiltering-options)
   // for an explanation.
@@ -163,10 +164,14 @@
     errorTaming = getenv('LOCKDOWN_ERROR_TAMING', 'safe'),
-    errorTrapping = getenv('LOCKDOWN_ERROR_TRAPPING', 'platform'),
-    unhandledRejectionTrapping = getenv(
-      'LOCKDOWN_UNHANDLED_REJECTION_TRAPPING',
-      'report',
+    errorTrapping = /** @type {"platform" | "none" | "report" | "abort" | "exit" | undefined} */ (
+      getenv('LOCKDOWN_ERROR_TRAPPING', 'platform')
     ),
+    unhandledRejectionTrapping = /** @type {"none" | "report" | undefined} */ (
+      getenv('LOCKDOWN_UNHANDLED_REJECTION_TRAPPING', 'report')
+    ),
     regExpTaming = getenv('LOCKDOWN_REGEXP_TAMING', 'safe'),
     localeTaming = getenv('LOCKDOWN_LOCALE_TAMING', 'safe'),
-    consoleTaming = getenv('LOCKDOWN_CONSOLE_TAMING', 'safe'),
+
+    consoleTaming = /** @type {'unsafe' | 'safe' | undefined} */ (
+      getenv('LOCKDOWN_CONSOLE_TAMING', 'safe')
+    ),
     overrideTaming = getenv('LOCKDOWN_OVERRIDE_TAMING', 'moderate'),
@@ -391,2 +396,14 @@ stackFiltering = getenv('LOCKDOWN_STACK_FILTERING', 'concise'),
 
+    // Harden evaluators
+    tamedHarden(globalThis.Function);
+    tamedHarden(globalThis.eval);
+    // @ts-ignore Compartment does exist on globalThis
+    tamedHarden(globalThis.Compartment);
+
+    // Harden Symbol and properties for initialGlobalPropertyNames in the host realm
+    tamedHarden(globalThis.Symbol);
+    for (const prop of getOwnPropertyNames(initialGlobalPropertyNames)) {
+      tamedHarden(globalThis[prop]);
+    }
+
     return tamedHarden;
@@ -393,0 +410,0 @@ };

src/permits.js

@@ -1417,2 +1417,4 @@ /* eslint-disable no-restricted-globals */
     resolve: fn,
+    // https://github.com/tc39/proposal-promise-with-resolvers
+    withResolvers: fn,
     '@@species': getter,
@@ -1419,0 +1421,0 @@ },

types.d.ts

@@ -61,4 +61,7 @@ /**
   exports: Array<string>;
+  /**
+   * Note that this value does _not_ contain any numeric or symbol property keys, which can theoretically be members of `exports` in a CommonJS module.
+   */
   execute(
-    proxiedExports: Object,
+    proxiedExports: Record<string, any>,
     compartment: Compartment,
@@ -65,0 +68,0 @@ resolvedImports: Record<string, string>,

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Deprecated

Maintenance

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Deprecated

Maintenance

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Found 1 instance in 1 package

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

3074237

increased by0.71%

Lines of code

65913

increased by0.46%

Number of low quality alerts

0

decreased by-100%

Dependency changes

• + Added@endo/env-options@1.1.5(transitive)

• - Removed@endo/env-options@0.1.4(transitive)

• Updated@endo/env-options@^1.0.0