-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Eliminate shims in v2 #95
Comments
The shims are pretty intrusive at the moment. I am considering an alternate design that would decouple the shims entirely, using separate modules for each of the operators like I’m familiar with SES. To use Collections as is, the shim modules would need to be instantiated before initSES, and would need to be added to the table of approved globals. |
Thanks for the quick response. Before adding the shims to the table of approved globals, I would want to audit collections's source code and make sure those shimmed methods are secure enough to be whitelisted. I'm looking forward to seeing the alternate design with decoupled shims, if/when it sees the light of day. Thanks again! |
Hello again, I've been working on a fork of collections that does not modify any global objects or prototypes. It's almost complete (cspotcode/collections#do-not-modify-builtins). I noticed collections v2.0.1 is released. Is that version ready for prime time, or is it more of a beta? If it's ready for production use, I'm going to try making a version of v2 that doesn't modify any globals. Thanks in advance. |
I intend to decouple v2 from modifying globals as much as possible. Some of this has landed in that branch. I expect that will just leave observable arrays monkey patching. The v2 branch is pre-beta and will not be published to the "latest" tag unless and until MontageJS elects to adopt it, which is unlikely and not soon. In the interim, adventurous users may |
Ok, thanks for the info. |
+1. The shims are off putting which made me reconsider using this library. |
+1 the |
@dantman, try collections@2. |
@kriskowal Nope, it appears that |
Ah, I see. There are unreleased changes in the v2 branch. Thanks. |
Try now. 2.0.2 does not have shims. Let me know how it goes; this is a pretty big change, and change observers are factored into another package. |
It looks like it works. |
So what is this |
Version 2 is an alternate reality for this library, where I got rid of shims and factored out and replaced the change observer mechanism. Version 3 forks directly off of Version 1 and is a much less invasive change, which was necessary to retain a semblance of compatibility with Montage in production. V2 come from my fork https://github.com/kriskowal/collections and I maintain it. |
Thank you @kriskowal for the info! |
@marchant please consider closing this issue (I am not a collaborator on this repository). v2 exists and does not have shims. I’ll continue to maintain backward compatible minor and patch releases of v2, but v3 and forward are designed for Montage and do not break compatibility with v1 as much. |
The "collections" package has issues with array shims causing other dependencies to break when least expected. This has been discussed in multiple issues: - montagejs/collections#162 - montagejs/collections#95 - balderdashy/sails#2524 Another solution to this could be to depend on "[email protected]" instead which is a version without shims.
I am sorry to trouble you, but I can not find the v2 at all. Is it removed? |
What's the latest status on this v2 branch being published officially? And what is the maintenance status of this project? |
v2 was published as v2 on npm, although it is not the “latest” version. I am not an active maintainer on this project. |
For latest V2 update see PR here #189 |
I'm evaluating whether or not to use this library for a project. My project may use Secure ECMAScript (SES) in the future, meaning I cannot modify any built-in prototypes. Secure ECMAScript enforces object-capability security by locking down all built-in objects (Object, Array, etc) so that they can't be modified.
Does your documentation explain how to use collections without modifying any built-in prototypes? I looked around on collectionsjs.com and only found references to how your code modifies prototypes sometimes, but I didn't find anything explaining how to explicitly avoid modifications.
Thanks in advance.
The text was updated successfully, but these errors were encountered: