pierrec / node-eval

Evaluate node require() module content directly
MIT License
93 stars 16 forks source link

fix: include all non-enumerable globals in global scope #27

Closed Josh-Cena closed 2 years ago

Josh-Cena commented 2 years ago

Fix #24. See also https://github.com/facebook/docusaurus/issues/6915

I'm not sure if there are significant risks in doing so, but it certainly looks more scalable than monkey-patching each useful global to the global scope. I'm also fine with putting this behind an opt-in flag, but after all, simply merging all enumerable properties on global doesn't seem very useful.

Josh-Cena commented 2 years ago

/ping @pierrec Really appreciate it if you can take a look and give feedback on how we can properly address this

slorber commented 2 years ago

Reporting 2 issues we have on Docusaurus with the new version:

I don't know if this PR is safe by default but I suggest providing the ability to at least exclude some globals. (tried scope with undefined values and didn't work)

Here's the list of globals before:

[
  "global",
  "clearInterval",
  "clearTimeout",
  "setInterval",
  "setTimeout",
  "queueMicrotask",
  "performance",
  "clearImmediate",
  "setImmediate",
  "__extends",
  "__assign",
  "__rest",
  "__decorate",
  "__param",
  "__metadata",
  "__awaiter",
  "__generator",
  "__exportStar",
  "__createBinding",
  "__values",
  "__read",
  "__spread",
  "__spreadArrays",
  "__spreadArray",
  "__await",
  "__asyncGenerator",
  "__asyncDelegator",
  "__asyncValues",
  "__makeTemplateObject",
  "__importStar",
  "__importDefault",
  "__classPrivateFieldGet",
  "__classPrivateFieldSet",
  "consola",
  "console",
  "process",
  "URL"
]

And here's the list after:

[
  "Object",
  "Function",
  "Array",
  "Number",
  "parseFloat",
  "parseInt",
  "Infinity",
  "NaN",
  "undefined",
  "Boolean",
  "String",
  "Symbol",
  "Date",
  "Promise",
  "RegExp",
  "Error",
  "AggregateError",
  "EvalError",
  "RangeError",
  "ReferenceError",
  "SyntaxError",
  "TypeError",
  "URIError",
  "globalThis",
  "JSON",
  "Math",
  "console",
  "Intl",
  "ArrayBuffer",
  "Uint8Array",
  "Int8Array",
  "Uint16Array",
  "Int16Array",
  "Uint32Array",
  "Int32Array",
  "Float32Array",
  "Float64Array",
  "Uint8ClampedArray",
  "BigUint64Array",
  "BigInt64Array",
  "DataView",
  "Map",
  "BigInt",
  "Set",
  "WeakMap",
  "WeakSet",
  "Proxy",
  "Reflect",
  "FinalizationRegistry",
  "WeakRef",
  "decodeURI",
  "decodeURIComponent",
  "encodeURI",
  "encodeURIComponent",
  "escape",
  "unescape",
  "eval",
  "isFinite",
  "isNaN",
  "global",
  "process",
  "Buffer",
  "atob",
  "btoa",
  "URL",
  "URLSearchParams",
  "TextEncoder",
  "TextDecoder",
  "AbortController",
  "AbortSignal",
  "EventTarget",
  "Event",
  "MessageChannel",
  "MessagePort",
  "MessageEvent",
  "clearInterval",
  "clearTimeout",
  "setInterval",
  "setTimeout",
  "queueMicrotask",
  "performance",
  "clearImmediate",
  "setImmediate",
  "SharedArrayBuffer",
  "Atomics",
  "WebAssembly",
  "__extends",
  "__assign",
  "__rest",
  "__decorate",
  "__param",
  "__metadata",
  "__awaiter",
  "__generator",
  "__exportStar",
  "__createBinding",
  "__values",
  "__read",
  "__spread",
  "__spreadArrays",
  "__spreadArray",
  "__await",
  "__asyncGenerator",
  "__asyncDelegator",
  "__asyncValues",
  "__makeTemplateObject",
  "__importStar",
  "__importDefault",
  "__classPrivateFieldGet",
  "__classPrivateFieldSet",
  "consola"
]
Josh-Cena commented 2 years ago

@slorber The second one is unrelated, it's because of custom JS transpilers and ESM interop problems. But I can indeed reproduce this first problem now, I shouldn't have forwarded anything in the ES standard (and hence already in the sandbox scope)...