-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Freeze Promise global on boot #7309
Freeze Promise global on boot #7309
Conversation
Interesting - I wonder if we still need to mutate the Promise global in tests. It looks like it was done to enable catching of uncaught exceptions, but V8 has gotten better at that since it was written 🤔 |
When I attempted to run this as a normal unit test, the error seemed to come from a test dependency (
Edit: ah, the point of Bluebird in the testing environment is to help with the uncaught exceptions? |
Yes, exactly. It's setup in |
We overwrite the global Promise with |
app/scripts/lib/freezeGlobals.js
Outdated
} | ||
|
||
if (value !== undefined) { | ||
target[key] = deepFreeze() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm guessing this was meant to be
target[key] = deepFreeze() | |
target[key] = deepFreeze(target[key]) |
In which case it could just be taken out of the condition altogether, as both branches are identical.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, no.... maybe it should be
target[key] = deepFreeze() | |
opts.value = deepFreeze(value) |
As target[key]
is getting overwritten 🤦♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha, yes, the latter. Now shortened to: opts.value = deepFreeze(value)
It's my facepalm, not yours!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Per a security advisory from an audit, freezes the Promise global and prevents its reassignment on boot, in both the background and UI.
Pins the version of
deep-freeze-strict
as we use it to freeze the Promise, and the point here is to prevent certain supply chain attacks.Adds new tests (
test:unit:global
) that are run in CI. These tests must be separate as freezing the Promise global breaks our normal test environments (at least the unit tests).Removes
tape
fromdevDependencies
, as we were not actually using that for anything.Marked as needs QA since if a dependency modifies the Promise global, an error will be thrown that they probably won't catch. I imagine they'll usually do something like that in their entry file, but you never know.