Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Eliminate shims in v2 #95

Open
cspotcode opened this issue Sep 1, 2014 · 21 comments
Open

Eliminate shims in v2 #95

cspotcode opened this issue Sep 1, 2014 · 21 comments
Milestone

Comments

@cspotcode
Copy link

I'm evaluating whether or not to use this library for a project. My project may use Secure ECMAScript (SES) in the future, meaning I cannot modify any built-in prototypes. Secure ECMAScript enforces object-capability security by locking down all built-in objects (Object, Array, etc) so that they can't be modified.

Does your documentation explain how to use collections without modifying any built-in prototypes? I looked around on collectionsjs.com and only found references to how your code modifies prototypes sometimes, but I didn't find anything explaining how to explicitly avoid modifications.

Thanks in advance.

@kriskowal
Copy link
Member

The shims are pretty intrusive at the moment. I am considering an alternate design that would decouple the shims entirely, using separate modules for each of the operators like equals and compare.

I’m familiar with SES. To use Collections as is, the shim modules would need to be instantiated before initSES, and would need to be added to the table of approved globals.

@cspotcode
Copy link
Author

Thanks for the quick response.

Before adding the shims to the table of approved globals, I would want to audit collections's source code and make sure those shimmed methods are secure enough to be whitelisted.

I'm looking forward to seeing the alternate design with decoupled shims, if/when it sees the light of day.

Thanks again!

@cspotcode
Copy link
Author

Hello again, I've been working on a fork of collections that does not modify any global objects or prototypes. It's almost complete (cspotcode/collections#do-not-modify-builtins).

I noticed collections v2.0.1 is released. Is that version ready for prime time, or is it more of a beta? If it's ready for production use, I'm going to try making a version of v2 that doesn't modify any globals.

Thanks in advance.

@kriskowal
Copy link
Member

I intend to decouple v2 from modifying globals as much as possible. Some of this has landed in that branch. I expect that will just leave observable arrays monkey patching. The v2 branch is pre-beta and will not be published to the "latest" tag unless and until MontageJS elects to adopt it, which is unlikely and not soon. In the interim, adventurous users may npm install collections@future or collections@2.

@cspotcode
Copy link
Author

Ok, thanks for the info.

@kriskowal kriskowal changed the title Using collections without any shimming or modification of built-in prototypes? Eliminate shims in v2 Feb 17, 2015
@dashed
Copy link

dashed commented Mar 2, 2015

+1. The shims are off putting which made me reconsider using this library.

@dantman
Copy link

dantman commented Jul 1, 2015

+1 the clone shim breaks Sequelize and I'm going to have to find a way to work around it.

@kriskowal
Copy link
Member

@dantman, try collections@2.

@dantman
Copy link

dantman commented Jul 1, 2015

@kriskowal Nope, it appears that array.clone still exists in 2.0.1 and Sequelize still dies in the same way.

@kriskowal
Copy link
Member

Ah, I see. There are unreleased changes in the v2 branch. Thanks.

@kriskowal
Copy link
Member

Try now. 2.0.2 does not have shims. Let me know how it goes; this is a pretty big change, and change observers are factored into another package.

@dantman
Copy link

dantman commented Jul 1, 2015

It looks like it works.

@Bazze
Copy link

Bazze commented Oct 17, 2016

So what is this 2.0.2 version actually? It's available through npm but I can't find any tag or similar for it here. How old is that version? What's missing compared to latest version? Is 2.0.2 actually the only way to get the collections package without the shims at the moment? Using the latest version, 5.0.5, breaks stuff in sails as mentioned in #162 and balderdashy/sails#2524 so I need to decide how to move forward.

@kriskowal
Copy link
Member

Version 2 is an alternate reality for this library, where I got rid of shims and factored out and replaced the change observer mechanism. Version 3 forks directly off of Version 1 and is a much less invasive change, which was necessary to retain a semblance of compatibility with Montage in production. V2 come from my fork https://github.com/kriskowal/collections and I maintain it.

@Bazze
Copy link

Bazze commented Oct 17, 2016

Thank you @kriskowal for the info!

@kriskowal
Copy link
Member

@marchant please consider closing this issue (I am not a collaborator on this repository). v2 exists and does not have shims. I’ll continue to maintain backward compatible minor and patch releases of v2, but v3 and forward are designed for Montage and do not break compatibility with v1 as much.

Bazze pushed a commit to Bazze/memcache-plus that referenced this issue Oct 17, 2016
The "collections" package has issues with array shims causing other
dependencies to break when least expected. This has been discussed
in multiple issues:

 - montagejs/collections#162
 - montagejs/collections#95
 - balderdashy/sails#2524

Another solution to this could be to depend on "collections@2.0.2"
instead which is a version without shims.
@hthetiot hthetiot self-assigned this Jun 17, 2017
@hthetiot hthetiot added this to the 6.x milestone Dec 7, 2017
@AIRTucha
Copy link
Contributor

AIRTucha commented Nov 8, 2018

I am sorry to trouble you, but I can not find the v2 at all. Is it removed?

@codebling
Copy link

See also issues #36 #70 #94 #95 #116 #139 #145 #162 #165 #169 #178 #182 #185 #197 #215 #220 and PRs #94 #95 #116 #173 #189 #212. Branch v2 fixes these issues by avoiding global object modification.

@sgronblo
Copy link

What's the latest status on this v2 branch being published officially? And what is the maintenance status of this project?

@kriskowal
Copy link
Member

v2 was published as v2 on npm, although it is not the “latest” version. I am not an active maintainer on this project.

@hthetiot hthetiot removed their assignment Sep 24, 2020
@hthetiot
Copy link
Contributor

For latest V2 update see PR here #189

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants