Eliminate shims in v2

[cspotcode]

I'm evaluating whether or not to use this library for a project. My project may use Secure ECMAScript (SES) in the future, meaning I cannot modify any built-in prototypes. Secure ECMAScript enforces object-capability security by locking down all built-in objects (Object, Array, etc) so that they can't be modified.

Does your documentation explain how to use collections without modifying any built-in prototypes? I looked around on collectionsjs.com and only found references to how your code modifies prototypes sometimes, but I didn't find anything explaining how to explicitly avoid modifications.

Thanks in advance.

[kriskowal]

The shims are pretty intrusive at the moment. I am considering an alternate design that would decouple the shims entirely, using separate modules for each of the operators like equals and compare.

I’m familiar with SES. To use Collections as is, the shim modules would need to be instantiated before initSES, and would need to be added to the table of approved globals.

[cspotcode]

Thanks for the quick response.

Before adding the shims to the table of approved globals, I would want to audit collections's source code and make sure those shimmed methods are secure enough to be whitelisted.

I'm looking forward to seeing the alternate design with decoupled shims, if/when it sees the light of day.

Thanks again!

[cspotcode]

Hello again, I've been working on a fork of collections that does not modify any global objects or prototypes. It's almost complete (cspotcode/collections#do-not-modify-builtins).

I noticed collections v2.0.1 is released. Is that version ready for prime time, or is it more of a beta? If it's ready for production use, I'm going to try making a version of v2 that doesn't modify any globals.

Thanks in advance.

[kriskowal]

I intend to decouple v2 from modifying globals as much as possible. Some of this has landed in that branch. I expect that will just leave observable arrays monkey patching. The v2 branch is pre-beta and will not be published to the "latest" tag unless and until MontageJS elects to adopt it, which is unlikely and not soon. In the interim, adventurous users may npm install collections@future or collections@2.

[cspotcode]

Ok, thanks for the info.

[dashed]

+1. The shims are off putting which made me reconsider using this library.

[dantman]

+1 the clone shim breaks Sequelize and I'm going to have to find a way to work around it.

[kriskowal]

@dantman, try collections@2.

[dantman]

@kriskowal Nope, it appears that array.clone still exists in 2.0.1 and Sequelize still dies in the same way.

[kriskowal]

Ah, I see. There are unreleased changes in the v2 branch. Thanks.

[kriskowal]

Try now. 2.0.2 does not have shims. Let me know how it goes; this is a pretty big change, and change observers are factored into another package.

[dantman]

It looks like it works.

[Bazze]

So what is this 2.0.2 version actually? It's available through npm but I can't find any tag or similar for it here. How old is that version? What's missing compared to latest version? Is 2.0.2 actually the only way to get the collections package without the shims at the moment? Using the latest version, 5.0.5, breaks stuff in sails as mentioned in https://github.com/montagejs/collections/issues/162 and https://github.com/balderdashy/sails/issues/2524 so I need to decide how to move forward.

[kriskowal]

Version 2 is an alternate reality for this library, where I got rid of shims and factored out and replaced the change observer mechanism. Version 3 forks directly off of Version 1 and is a much less invasive change, which was necessary to retain a semblance of compatibility with Montage in production. V2 come from my fork https://github.com/kriskowal/collections and I maintain it.

[Bazze]

Thank you @kriskowal for the info!

[kriskowal]

@marchant please consider closing this issue (I am not a collaborator on this repository). v2 exists and does not have shims. I’ll continue to maintain backward compatible minor and patch releases of v2, but v3 and forward are designed for Montage and do not break compatibility with v1 as much.

[AIRTucha]

I am sorry to trouble you, but I can not find the v2 at all. Is it removed?

[codebling]

See also issues #36 #70 #94 #95 #116 #139 #145 #162 #165 #169 #178 #182 #185 #197 #215 #220 and PRs #94 #95 #116 #173 #189 #212. Branch v2 fixes these issues by avoiding global object modification.

[sgronblo]

What's the latest status on this v2 branch being published officially? And what is the maintenance status of this project?

[kriskowal]

v2 was published as v2 on npm, although it is not the “latest” version. I am not an active maintainer on this project.

[hthetiot]

For latest V2 update see PR here https://github.com/montagejs/collections/pull/189