search

endojs / endo

Endo is a distributed secure JavaScript sandbox, based on SES
Apache License 2.0
834 stars 72 forks source link

fix(ses): reject unsupported lockdownOptions mathTaming + dateTaming #2583

Closed kumavis closed 1 month ago

kumavis commented 1 month ago

This is a breaking change.

support for lockdown options mathTaming and dateTaming were removed so long ago I'm having trouble finding a proper reference (edit: july 2020 https://github.com/endojs/endo/pull/372). Since these options don't do anything, lockdown should fail when these options are specified.

For LavaMoat, we were surprised to find they were being provided to lockdown, but had no effect. Any other unrecognized lockdown options are rejected.

Here is a non-breaking change that adds a warning when the options are specified https://github.com/endojs/endo/pull/2584

kumavis commented 1 month ago

@kriskowal unrelated playwright install issue (?)

kriskowal commented 1 month ago

@kriskowal unrelated playwright install issue (?)

Definitely unrelated. We saw this once before when one of the browsers shifted underneath us. I reran the job and it persisted. It’s not a required job.

kumavis commented 1 month ago

@kriskowal whats the process for queueing breaking changes?

kriskowal commented 1 month ago

@kriskowal whats the process for queueing breaking changes?

We do not have one yet, but I think a new label next-major is in order. The queue is not empty (__options__ on Compartment options bag, deprecated module descriptor formats, &c.)

Closing in favor of https://github.com/endojs/endo/pull/2584