adding mikera/vectorz to thaw allowlist

[ptaoussanis]

Hi there! Has someone verified that all the targeted classes are safe? What's the level of confidence?

Thanks

[danielfleischer]

I've used the Vector and AVector classes, but I'm not aware of any official verifications.

See vectorz and the clojure bindings vectorz-clj for more detail.

[ptaoussanis]

Hi there!

Unfortunately I don't think this'd make sense to add to the default list for a couple reasons:

1. Someone would need to properly investigate to check that there's no security risk posed by any of the classes. This is a solvable problem but would take some work.
2. I'm not sure that this library is common enough to warrant inclusion in the defaults.

Why does 2. matter?

• Noise for library consumers. (If we add defaults for this long-tail library, we'd be setting a precedent for more such additions - making it more cumbersome for users to review+manage the whitelist).
  • Added default classes also impose an ongoing maintenance burden since we'll need to keep an eye out for possible security issues in new releases, etc.

Would recommend you just add the classes you need to your own configuration.

Hope this makes sense!

Cheers :-)

[danielfleischer]

Hi, thanks for the clarification, it makes perfect sense.