@endo/lockdown 1.0.14 → 1.0.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/SECURITY.md +2 -2
- package/commit-debug.js +10 -6
- package/package.json +3 -4
- package/pre.js +12 -11
package/SECURITY.md
CHANGED
|
@@ -8,9 +8,9 @@ be made for the most recent branch only.
|
|
|
8
8
|
|
|
9
9
|
## Coordinated Vulnerability Disclosure of Security Bugs
|
|
10
10
|
|
|
11
|
-
SES stands for fearless cooperation, and strong security requires strong collaboration with security researchers. If you believe that you have found a security sensitive bug that should not be disclosed until a fix has been made available, we encourage you to report it. To report a bug in HardenedJS, you have several options that include:
|
|
11
|
+
SES stands for fearless cooperation, and strong security requires strong collaboration with security researchers. If you believe that you have found a security sensitive bug that should not be disclosed until a fix has been made available, we encourage you to report it. To report a bug in HardenedJS, you have several options that include:
|
|
12
12
|
|
|
13
|
-
* Reporting the issue to the [Agoric HackerOne vulnerability rewards program](https://hackerone.com/agoric).
|
|
13
|
+
* Reporting the issue to the [Agoric HackerOne vulnerability rewards program](https://hackerone.com/agoric).
|
|
14
14
|
|
|
15
15
|
* Sending an email to security at (@) agoric.com., encrypted or unencrypted. To encrypt, please use @Warner’s personal GPG key [A476E2E6 11880C98 5B3C3A39 0386E81B 11CAA07A](http://www.lothar.com/warner-gpg.html) .
|
|
16
16
|
|
package/commit-debug.js
CHANGED
|
@@ -21,13 +21,13 @@ lockdown({
|
|
|
21
21
|
// NOTE TO REVIEWERS: If you see the following line commented out,
|
|
22
22
|
// this may be a development accident that should be fixed before merging.
|
|
23
23
|
//
|
|
24
|
-
errorTaming: 'unsafe
|
|
24
|
+
errorTaming: 'unsafe',
|
|
25
25
|
|
|
26
26
|
// The default `{stackFiltering: 'concise'}` setting usually makes for a
|
|
27
27
|
// better debugging experience, by severely reducing the noisy distractions
|
|
28
28
|
// of the normal verbose stack traces. Which is why we comment
|
|
29
|
-
// out the
|
|
30
|
-
// tools look for the full filename that it expects in order
|
|
29
|
+
// out the other settings below. However, some
|
|
30
|
+
// tools look for the full filename path that it expects in order
|
|
31
31
|
// to fetch the source text for diagnostics,
|
|
32
32
|
//
|
|
33
33
|
// Another reason for not commenting it out: The cause
|
|
@@ -36,10 +36,14 @@ lockdown({
|
|
|
36
36
|
// uncomment out the following line. But please do not commit it in that
|
|
37
37
|
// state.
|
|
38
38
|
//
|
|
39
|
-
// NOTE TO REVIEWERS: If you see the
|
|
40
|
-
// this may be a development accident that MUST be
|
|
39
|
+
// NOTE TO REVIEWERS: If you see the `stackFiltering` settings *not*
|
|
40
|
+
// commented out below, this may be a development accident that MUST be
|
|
41
|
+
// fixed before merging.
|
|
41
42
|
//
|
|
42
|
-
// stackFiltering: '
|
|
43
|
+
// stackFiltering: 'concise', // Omit frames and shorten paths
|
|
44
|
+
// stackFiltering: 'omit-frames', // Only omit frames. Do not shorten paths
|
|
45
|
+
// stackFiltering: 'shorten-paths', // Only shorten paths. Do not omit frames
|
|
46
|
+
// stackFiltering: 'verbose', // Do not omit frames or shorten paths
|
|
43
47
|
|
|
44
48
|
// The default `{overrideTaming: 'moderate'}` setting does not hurt the
|
|
45
49
|
// debugging experience much. But it will introduce noise into, for example,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@endo/lockdown",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.16",
|
|
4
4
|
"description": "Wrappers for hardening JavaScript for Endo",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "pre.js",
|
|
@@ -16,13 +16,12 @@
|
|
|
16
16
|
"build": "exit 0",
|
|
17
17
|
"test": "exit 0",
|
|
18
18
|
"test:xs": "exit 0",
|
|
19
|
-
"lint-check": "yarn lint",
|
|
20
19
|
"lint-fix": "eslint --fix '**/*.js'",
|
|
21
20
|
"lint": "eslint '**/*.js'",
|
|
22
21
|
"postpack": "git clean -f '*.d.ts*' '*.tsbuildinfo'"
|
|
23
22
|
},
|
|
24
23
|
"dependencies": {
|
|
25
|
-
"ses": "^1.
|
|
24
|
+
"ses": "^1.13.0"
|
|
26
25
|
},
|
|
27
26
|
"files": [
|
|
28
27
|
"./*.d.ts",
|
|
@@ -62,5 +61,5 @@
|
|
|
62
61
|
"publishConfig": {
|
|
63
62
|
"access": "public"
|
|
64
63
|
},
|
|
65
|
-
"gitHead": "
|
|
64
|
+
"gitHead": "571b7803cf10df7cb4fa9d70e4d53a0b53767fa8"
|
|
66
65
|
}
|
package/pre.js
CHANGED
|
@@ -102,13 +102,12 @@ export const lockdown = defaultOptions => {
|
|
|
102
102
|
// this may be a development accident that MUST be fixed before merging.
|
|
103
103
|
//
|
|
104
104
|
// errorTaming: 'unsafe',
|
|
105
|
-
|
|
106
|
-
//
|
|
105
|
+
|
|
107
106
|
// The default `{stackFiltering: 'concise'}` setting usually makes for a
|
|
108
107
|
// better debugging experience, by severely reducing the noisy distractions
|
|
109
108
|
// of the normal verbose stack traces. Which is why we comment
|
|
110
|
-
// out the
|
|
111
|
-
// tools look for the full filename that it expects in order
|
|
109
|
+
// out the other settings below. However, some
|
|
110
|
+
// tools look for the full filename path that it expects in order
|
|
112
111
|
// to fetch the source text for diagnostics,
|
|
113
112
|
//
|
|
114
113
|
// Another reason for not commenting it out: The cause
|
|
@@ -117,12 +116,15 @@ export const lockdown = defaultOptions => {
|
|
|
117
116
|
// uncomment out the following line. But please do not commit it in that
|
|
118
117
|
// state.
|
|
119
118
|
//
|
|
120
|
-
// NOTE TO REVIEWERS: If you see the
|
|
121
|
-
// this may be a development accident that MUST be
|
|
122
|
-
//
|
|
123
|
-
// stackFiltering: 'verbose',
|
|
124
|
-
//
|
|
119
|
+
// NOTE TO REVIEWERS: If you see the `stackFiltering` settings *not*
|
|
120
|
+
// commented out below, this may be a development accident that MUST be
|
|
121
|
+
// fixed before merging.
|
|
125
122
|
//
|
|
123
|
+
// stackFiltering: 'concise', // Omit frames and shorten paths
|
|
124
|
+
// stackFiltering: 'omit-frames', // Only omit frames. Do not shorten paths
|
|
125
|
+
// stackFiltering: 'shorten-paths', // Only shorten paths. Do not omit frames
|
|
126
|
+
// stackFiltering: 'verbose', // Do not omit frames or shorten paths
|
|
127
|
+
|
|
126
128
|
// The default `{overrideTaming: 'moderate'}` setting does not hurt the
|
|
127
129
|
// debugging experience much. But it will introduce noise into, for example,
|
|
128
130
|
// the vscode debugger's object inspector. During debug and test, if you can
|
|
@@ -134,8 +136,7 @@ export const lockdown = defaultOptions => {
|
|
|
134
136
|
// this may be a development accident that MUST be fixed before merging.
|
|
135
137
|
//
|
|
136
138
|
// overrideTaming: 'min',
|
|
137
|
-
|
|
138
|
-
//
|
|
139
|
+
|
|
139
140
|
// The default `{consoleTaming: 'safe'}` setting usually makes for a
|
|
140
141
|
// better debugging experience, by wrapping the original `console` with
|
|
141
142
|
// the SES replacement `console` that provides more information about
|