feat(harden): Introduce @endo/harden#3008
Merged
Conversation
This was referenced Nov 7, 2025
kriskowal
force-pushed
the
kriskowal-endo-harden-adopt-shallow
branch
4 times, most recently
from
5f340d9 to
2f3a89e
Compare
kriskowal
force-pushed
the
kriskowal-endo-harden-adopt-shallow
branch
2 times, most recently
from
8c9dceb to
1c8e2c0
Compare
erights
reviewed
Jan 20, 2026
| @@ -0,0 +1,471 @@ | |||
| // Adapted from SES/Caja - Copyright (C) 2011 Google Inc. | |||
Contributor
There was a problem hiding this comment.
Why does this PR only add this file here, rather than (re)moving it from ses/src? What are the salient differences from the one in ses/src?
Member
Author
There was a problem hiding this comment.
I’ve set up the commits for this PR to make these changes evident.
- Straight copy from SES: 8ef4cb8
- Relieve dependence on SES internal assert 8ef4cb8
- Add traversePrototypes option b17cb9f
- Copy entirety of commons inline into this module without modification 00e76cc
- Mechanically remove
exportsfor commons 0be9b41 - Inline the Harden type to relive a dependence on SES types 3ab5053
- Collect unused Commons d1fea29
Contributor
There was a problem hiding this comment.
THANKS! This was amazingly helpful.
erights
reviewed
Jan 26, 2026
| @@ -0,0 +1,539 @@ | |||
| /** @import {RemoteKit, Settler} from '@endo/eventual-send' */ | |||
Contributor
There was a problem hiding this comment.
Why does this PR contain this file as a new file?
erights
reviewed
Jan 26, 2026
erights
reviewed
Jan 26, 2026
packages/module-source/NEWS.md
Outdated
|
|
||
| # Next release | ||
|
|
||
| - Removes dependence on global `harden`. |
Contributor
There was a problem hiding this comment.
But why? This PR makes it possible to use harden with almost zero cost.
Member
Author
There was a problem hiding this comment.
This was not previously a rigorously hardened module. The constructor was not hardened, so this harden was a paltry nod. But, you are correct that we could make it a hardened module, now.
This was referenced Jan 26, 2026
erights
added a commit
that referenced
this pull request
Feb 3, 2026
Closes: #XXXX Refs: #3008 , #1686 , #1582 Refs: https://github.com/dckc/inter-fun/blob/main/gapp/unmarshal.js Refs: https://www.google.com/search?q=what+version+of+ecmascript+does+apps+script+support&oq=what+version+of+ecmascript+does+apps+script+support&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDsyBggDEEUYOzIGCAQQLhhA0gEHODg4ajBqMagCALACAA&sourceid=chrome&ie=UTF-8 ## Description One of the reasons @dckc reimplemented marshal as https://github.com/dckc/inter-fun/blob/main/gapp/unmarshal.js is to be able to use it in Apps Script. After marshal adapts to #3008 , it should be much easier to create a marshal with far fewer dependencies that should be adequate for these purposes. However, at least one annoying problem would prevent that. https://www.google.com/search?q=what+version+of+ecmascript+does+apps+script+support&oq=what+version+of+ecmascript+does+apps+script+support&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDsyBggDEEUYOzIGCAQQLhhA0gEHODg4ajBqMagCALACAA&sourceid=chrome&ie=UTF-8 at one point said > Literal syntax limitation: The shortcut syntax for `BigInt` literals (e.g., `10n`) is not supported by the script editor’s parser, and will cause a syntax error. You must use the `BigInt()` constructor with a string argument instead (e.g., `BigInt("10"))`. Actually, when a number is accurate, we can use that instead of a string. Endo is not in general trying for compat with Apps Script. But packages that will have minimal dependencies after adapting to #3008 might, such as `@endo/marshal` and `@endo/ocapn`. This PR readies such packages for that by avoiding the bigint literals that would prevent that. ### Security Considerations none ### Scaling Considerations none ### Documentation Considerations none ### Testing Considerations none ### Compatibility Considerations the point. After we adapt to #3008, this PR will help enable some packages (marshal, ocapn) to run under Apps Script despite the limitations quoted above. There may be other problems, but at least this PR eliminates one known problem. ### Upgrade Considerations none.
kriskowal
force-pushed
the
kriskowal-endo-harden-adopt-shallow
branch
from
1c8e2c0 to
471494d
Compare
🦋 Changeset detectedLatest commit: 2d741ef The changes in this PR will be included in the next version bump. This PR includes changesets to release 32 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
kriskowal
force-pushed
the
kriskowal-endo-harden-adopt-shallow
branch
5 times, most recently
from
9957769 to
e15a003
Compare
Member
Author
|
I ran into trouble using The solution was to perform a transitive surface freeze of ModuleSource constructors, prototypes, and instances manually. |
erights
reviewed
Feb 24, 2026
| 'ses': minor | ||
| --- | ||
|
|
||
| - `lockdown` and `repairIntrinsics` now detect if a hardened module (using |
Contributor
There was a problem hiding this comment.
It is possible to misunderstand this as detecting whether a module imported @endo/harden as opposed to detecting whether it called the imported harden.
kriskowal
force-pushed
the
kriskowal-endo-harden-adopt-shallow
branch
from
6117550 to
2d741ef
Compare
Merged
boneskull
added a commit
that referenced
this pull request
Feb 26, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or [setup this action to publish automatically](https://github.com/changesets/action#with-publishing). If you're not ready to do a release yet, that's fine, whenever you add more changesets to master, this PR will be updated. # Releases ## @endo/compartment-mapper@2.0.0 ### Major Changes - [#3082](#3082) [`2e00276`](2e00276) Thanks [@boneskull](https://github.com/boneskull)! - - **Breaking:** `CompartmentMapDescriptor` no longer has a `path` property. - **Breaking:** `CompartmentMapDescriptor`'s `label` property is now a _canonical name_ (a string of one or more npm package names separated by `>`). - **Breaking:** The `CompartmentMapDescriptor` returned by `captureFromMap()` now uses canonical names as the keys in its `compartments` property. - Breaking types: `CompartmentMapDescriptor`, `CompartmentDescriptor`, `ModuleConfiguration` (renamed from `ModuleDescriptor`) and `ModuleSource` have all been narrowed into discrete subtypes. - `captureFromMap()`, `loadLocation()` and `importLocation()` now accept a `moduleSourceHook` option. This hook is called when processing each module source, receiving the module source data (location, language, bytes, or error information) and the canonical name of the containing package. - `captureFromMap()` now accepts a `packageConnectionsHook` option. This hook is called for each retained compartment with its canonical name and the set of canonical names of compartments it links to (its connections). Useful for analyzing or visualizing the dependency graph. - `mapNodeModules()`, `loadLocation()`, `importLocation()`, `makeScript()`, `makeFunctor()`, and `writeScript()` now accept the following hook options: - `unknownCanonicalNameHook`: Called for each canonical name mentioned in policy but not found in the compartment map. Useful for detecting policy misconfigurations. - `packageDependenciesHook`: Called for each package with its set of dependencies. Can return partial updates to modify the dependencies, enabling dependency filtering or injection based on policy. - `packageDataHook`: Called once with data about all packages found while crawling `node_modules`, just prior to creation of a compartment map. - When dynamic requires are enabled via configuration, execution now takes policy into consideration when no other relationship (for example, a dependent/dependee relationship) between two Compartments exists. When policy explicitly allows access from package _A_ to _B_ and _A_ dynamically requires _B_ (via absolute path or otherwise), the operation will succeed. This can occur _if and only if_ dynamic requires are enabled _and_ a policy is provided. - Improved error messaging for policy enforcement failures. ### Patch Changes - [#3055](#3055) [`81b4c40`](81b4c40) Thanks [@naugtur](https://github.com/naugtur)! - - Introduces additional signal to consider an export from a package an ESM module when it's selected via an `import` key in `exports` in package.json in case no other indication of it being an ESM module is present. - Updated dependencies \[[`2e00276`](2e00276), [`a29ecd4`](a29ecd4), [`a7d3d26`](a7d3d26), [`d83b1ab`](d83b1ab)]: - ses@1.15.0 - @endo/module-source@1.4.0 - @endo/zip@1.1.0 ## @endo/bundle-source@4.2.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - [#3083](#3083) [`644ab15`](644ab15) Thanks [@turadg](https://github.com/turadg)! - Fix bundle cache corner cases, improve cache-root validation, and clarify CLI docs for `endoScript` bundle format. - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`d83b1ab`](d83b1ab), [`b8b52ce`](b8b52ce), [`a2c32ec`](a2c32ec), [`81b4c40`](81b4c40)]: - @endo/compartment-mapper@2.0.0 - @endo/harden@1.1.0 - @endo/promise-kit@1.2.0 - @endo/init@1.1.13 - @endo/evasive-transform@2.1.0 ## @endo/captp@4.5.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`d83b1ab`](d83b1ab), [`98f77e9`](98f77e9)]: - @endo/errors@1.3.0 - @endo/harden@1.1.0 - @endo/eventual-send@1.4.0 - @endo/marshal@1.9.0 - @endo/nat@5.2.0 - @endo/pass-style@1.7.0 - @endo/promise-kit@1.2.0 ## @endo/check-bundle@1.1.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`2e00276`](2e00276), [`029dcc4`](029dcc4), [`81b4c40`](81b4c40)]: - @endo/errors@1.3.0 - @endo/compartment-mapper@2.0.0 - @endo/harden@1.1.0 ## @endo/common@1.3.0 ### Minor Changes - [#3082](#3082) [`2e00276`](2e00276) Thanks [@boneskull](https://github.com/boneskull)! - Deprecates this package's support for the checkFoo/assertCheck pattern (`Checker`, `identChecker`) in favor of the confirm/reject pattern supported by @endo/errors/rejector.js. - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`d83b1ab`](d83b1ab)]: - @endo/errors@1.3.0 - @endo/harden@1.1.0 - @endo/eventual-send@1.4.0 - @endo/promise-kit@1.2.0 ## @endo/errors@1.3.0 ### Minor Changes - [#3082](#3082) [`2e00276`](2e00276) Thanks [@boneskull](https://github.com/boneskull)! - - Exports `assert.details` under its own name (i.e., `details`). - `hideAndHardenFunction` - If a function `foo` is first frozen with `hideAndHardenFunction(foo)` rather than `freeze(foo)` or `harden(foo)`, then `foo.name` is changed from `'foo'` to `'__HIDE_foo'`. When `stackFiltering: 'concise'` or `stackFiltering: 'omit-frames'`, then (currently only on v8), the stack frames for that function are omitted from the stacks reported by our causal console. - The new `Rejector` type supports the confirmFoo/reject pattern: ```js @import {FAIL, hideAndHardenFunction} from '@Endo@errors'; @import {Rejector} from '@endo/errors/rejector.js'; const confirmFoo = (specimen, reject: Rejector) => test(specimen) || reject && reject`explanation of what went wrong`; export const isFoo = specimen => confirmFoo(specimen, false); hideAndHardenFunction(isFoo); export const assertFoo = specimen => { confirmFoo(specimen, FAIL); }; hideAndHardenFunction(assertFoo); ``` Both `false` and `Fail` satisfy the `Rejector` type. We also deprecate the old checkFoo/assertChecker pattern from @endo/common. The exported `isFoo` and `assertFoo` behave the same as they had when then they were using the checkFoo/assertChecker pattern, but are now internally faster and clearer. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4)]: - ses@1.15.0 - @endo/harden@1.1.0 ## @endo/evasive-transform@2.1.0 ### Minor Changes - [#3026](#3026) [`a2c32ec`](a2c32ec) Thanks [@naugtur](https://github.com/naugtur)! - - Add meaning-preserving transformation of expressions and literals containing content that would otherwise be rejected by SES for looking like dynamic import or HTML-like comments. Previously only comments were transformed. Use `onlyComments` option to opt-out of the new behavior. ## @endo/eventual-send@1.4.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`029dcc4`](029dcc4)]: - @endo/harden@1.1.0 ## @endo/exo@1.6.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`98f77e9`](98f77e9), [`029dcc4`](029dcc4), [`2e00276`](2e00276), [`98f77e9`](98f77e9), [`d83b1ab`](d83b1ab), [`c488503`](c488503), [`98f77e9`](98f77e9)]: - @endo/errors@1.3.0 - @endo/patterns@1.8.0 - @endo/harden@1.1.0 - @endo/common@1.3.0 - @endo/eventual-send@1.4.0 - @endo/pass-style@1.7.0 ## @endo/harden@1.1.0 ### Minor Changes - [#3008](#3008) [`029dcc4`](029dcc4) Thanks [@kriskowal](https://github.com/kriskowal)! - - Introduces `@endo/harden`, providing a `harden` implementation that works both inside and outside HardenedJS. - Supports the `hardened` and `harden:unsafe` build conditions to select hardened-environment and no-op behaviors. - Detects pre-lockdown use of `harden` so `lockdown()` fails with a helpful error instead of leaving modules incorrectly hardened. All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. ## @endo/import-bundle@1.6.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`2e00276`](2e00276), [`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`81b4c40`](81b4c40)]: - ses@1.15.0 - @endo/errors@1.3.0 - @endo/compartment-mapper@2.0.0 - @endo/harden@1.1.0 ## @endo/lp32@1.2.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`d83b1ab`](d83b1ab)]: - ses@1.15.0 - @endo/errors@1.3.0 - @endo/harden@1.1.0 - @endo/stream@1.3.0 ## @endo/marshal@1.9.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`2e00276`](2e00276), [`d83b1ab`](d83b1ab), [`98f77e9`](98f77e9)]: - @endo/errors@1.3.0 - @endo/harden@1.1.0 - @endo/common@1.3.0 - @endo/eventual-send@1.4.0 - @endo/nat@5.2.0 - @endo/pass-style@1.7.0 - @endo/promise-kit@1.2.0 ## @endo/memoize@1.2.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4)]: - ses@1.15.0 - @endo/harden@1.1.0 ## @endo/module-source@1.4.0 ### Minor Changes - [#3008](#3008) [`a7d3d26`](a7d3d26) Thanks [@kriskowal](https://github.com/kriskowal)! - - Transitively freezes the properties of `ModuleSource` constructors and instances without requiring lockdown, for greater safety against supply-chain-attack. `ModuleSource`, particularly through the `@endo/module-source/shim.js`, necessarily runs before `lockdown` is called (if ever) and cannot rely on `harden`, so must preemptively transitively freeze its properties to be a hardened module, regardless of whether `lockdown` is ever called. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4)]: - ses@1.15.0 - @endo/harden@1.1.0 ## @endo/nat@5.2.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ## @endo/netstring@1.1.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`d83b1ab`](d83b1ab), [`b8b52ce`](b8b52ce)]: - ses@1.15.0 - @endo/harden@1.1.0 - @endo/promise-kit@1.2.0 - @endo/stream@1.3.0 - @endo/init@1.1.13 ## @endo/pass-style@1.7.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. - [#3082](#3082) [`98f77e9`](98f77e9) Thanks [@boneskull](https://github.com/boneskull)! - - Deprecates `assertChecker`. Use `Fail` in the confirm/reject pattern instead, as supported by `@endo/errors/rejector.js`. - Enables `passStyleOf` to make errors passable as a side-effect when SES locks down with `hardenTaming` set to `unsafe`, which impacts errors on V8 starting with Node.js 21, and similar engines, that own a `stack` getter and setter that would otherwise be repaired as a side-effect of `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`2e00276`](2e00276), [`d83b1ab`](d83b1ab)]: - @endo/errors@1.3.0 - @endo/harden@1.1.0 - @endo/common@1.3.0 - @endo/eventual-send@1.4.0 - @endo/promise-kit@1.2.0 ## @endo/patterns@1.8.0 ### Minor Changes - [#3082](#3082) [`98f77e9`](98f77e9) Thanks [@boneskull](https://github.com/boneskull)! - `@endo/patterns` now exports a new `getNamedMethodGuards(interfaceGuard)` that returns that interface guard's record of method guards. The motivation is to support interface inheritance expressed by patterns like ```js const I2 = M.interface('I2', { ...getNamedMethodGuards(I1), doMore: M.call().returns(M.any()), }); ``` See `@endo/exo`'s `exo-wobbly-point.test.js` to see it in action together with an experiment in class inheritance. - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - [#3082](#3082) [`98f77e9`](98f77e9) Thanks [@boneskull](https://github.com/boneskull)! - The `sloppy` option for `@endo/patterns` interface guards is deprecated. Use `defaultGuards` instead. - [#3065](#3065) [`c488503`](c488503) Thanks [@gibson042](https://github.com/gibson042)! - - `containerHasSplit` now hardens its output(s) when working with copyArrays, ensuring that each output is itself a copyArray instance. - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`2e00276`](2e00276), [`d83b1ab`](d83b1ab), [`98f77e9`](98f77e9)]: - @endo/errors@1.3.0 - @endo/harden@1.1.0 - @endo/common@1.3.0 - @endo/eventual-send@1.4.0 - @endo/marshal@1.9.0 - @endo/pass-style@1.7.0 - @endo/promise-kit@1.2.0 ## @endo/promise-kit@1.2.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4)]: - ses@1.15.0 - @endo/harden@1.1.0 ## ses@1.15.0 ### Minor Changes - [#3082](#3082) [`2e00276`](2e00276) Thanks [@boneskull](https://github.com/boneskull)! - - Adds `assert.makeError` and deprecates `assert.error` as an alias, matching the API already exported from `@endo/errors`. - Before this version, the `assert` left in global scope before `lockdown` would redact errors and would be replaced by `lockdown` with a version that did _not_ redact errors if the caller opted-in with `errorTaming` set to one of the `unsafe` variants. After this version, the reverse is true: the `assert` left in global scope before `lockdown` does not redact. Then, `lockdown` replaces `assert` with a redacting `assert` unless the caller opted-out with `errorTaming` set to one of the `unsafe` variants. - [#3008](#3008) [`a29ecd4`](a29ecd4) Thanks [@kriskowal](https://github.com/kriskowal)! - - `lockdown` and `repairIntrinsics` now detect when code has already called a `harden` imported from `@endo/harden` before lockdown, and fail with a clear error about hardened modules executing before lockdown. - Adds `Object[Symbol.for('harden')]` as a variant of `globalThis.harden` that cannot be overridden by an endowment named `harden` in compartments. ## @endo/ses-ava@1.4.0 ### Minor Changes - [#3082](#3082) [`2e00276`](2e00276) Thanks [@boneskull](https://github.com/boneskull)! - - Introduces a `ses-ava` command for running tests with multiple AVA configurations. - Adds an `@endo/ses-ava/test.js` module for getting a `test` function appropriate for your configuration. - Adds an `@endo/ses-ava/prepare-endo-config.js` module suitable for use in the `require` clause of an AVA configuration, such that `@endo/ses-ava/test.js` exports a wrapped SES-AVA `test` function. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`b8b52ce`](b8b52ce)]: - ses@1.15.0 - @endo/harden@1.1.0 - @endo/init@1.1.13 ## @endo/stream@1.3.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`d83b1ab`](d83b1ab)]: - ses@1.15.0 - @endo/harden@1.1.0 - @endo/eventual-send@1.4.0 - @endo/promise-kit@1.2.0 ## @endo/stream-node@1.2.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`d83b1ab`](d83b1ab), [`b8b52ce`](b8b52ce)]: - ses@1.15.0 - @endo/errors@1.3.0 - @endo/harden@1.1.0 - @endo/stream@1.3.0 - @endo/init@1.1.13 ## @endo/zip@1.1.0 ### Minor Changes - [#3008](#3008) [`d83b1ab`](d83b1ab) Thanks [@kriskowal](https://github.com/kriskowal)! - - Relaxes dependence on a global, post-lockdown `harden` function by taking a dependency on the new `@endo/harden` package. Consequently, bundles will now entrain a `harden` implementation that is superfluous if the bundled program is guaranteed to run in a post-lockdown HardenedJS environment. To compensate, use `bundle-source` with `-C hardened` or the analogous feature for packaging conditions with your preferred bundler tool. This will hollow out `@endo/harden` and defer exclusively to the global `harden`. ## @endo/init@1.1.13 ### Patch Changes - [#3085](#3085) [`b8b52ce`](b8b52ce) Thanks [@copilot-swe-agent](https://github.com/apps/copilot-swe-agent)! - Move async_hooks patch to dedicated entrypoint for Node.js 24 compatibility The async_hooks patch was originally added in #1115 to address debugger issues (#1105) for local debugging of Node.js processes in lockdown mode. However, the patch is breaking in Node.js 24, and it's unclear whether it's still necessary in Node.js 20+. To maintain backward compatibility while fixing the Node.js 24 breakage, the patch has been moved from the default import path to a new dedicated entrypoint `@endo/init/debug-async-hooks.js`. This allows users who need the async_hooks patch for debugging in older Node.js versions to opt-in explicitly, while preventing breakage for users on Node.js 24+. If you were relying on the async_hooks patch, import `@endo/init/debug-async-hooks.js` instead of `@endo/init/debug.js`. Note that this entrypoint may not work correctly in Node.js 24+. - Updated dependencies \[[`029dcc4`](029dcc4), [`d83b1ab`](d83b1ab)]: - @endo/harden@1.1.0 - @endo/eventual-send@1.4.0 - @endo/promise-kit@1.2.0 ## @endo/cli@2.3.12 ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`2e00276`](2e00276), [`98f77e9`](98f77e9), [`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`644ab15`](644ab15), [`98f77e9`](98f77e9), [`d83b1ab`](d83b1ab), [`b8b52ce`](b8b52ce), [`c488503`](c488503), [`98f77e9`](98f77e9), [`81b4c40`](81b4c40)]: - ses@1.15.0 - @endo/errors@1.3.0 - @endo/patterns@1.8.0 - @endo/compartment-mapper@2.0.0 - @endo/harden@1.1.0 - @endo/bundle-source@4.2.0 - @endo/eventual-send@1.4.0 - @endo/exo@1.6.0 - @endo/import-bundle@1.6.0 - @endo/pass-style@1.7.0 - @endo/promise-kit@1.2.0 - @endo/stream-node@1.2.0 - @endo/init@1.1.13 - @endo/daemon@2.5.2 ## @endo/daemon@2.5.2 ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`2e00276`](2e00276), [`98f77e9`](98f77e9), [`2e00276`](2e00276), [`029dcc4`](029dcc4), [`a29ecd4`](a29ecd4), [`98f77e9`](98f77e9), [`d83b1ab`](d83b1ab), [`b8b52ce`](b8b52ce), [`c488503`](c488503), [`81b4c40`](81b4c40)]: - ses@1.15.0 - @endo/errors@1.3.0 - @endo/patterns@1.8.0 - @endo/compartment-mapper@2.0.0 - @endo/harden@1.1.0 - @endo/captp@4.5.0 - @endo/eventual-send@1.4.0 - @endo/exo@1.6.0 - @endo/import-bundle@1.6.0 - @endo/marshal@1.9.0 - @endo/netstring@1.1.0 - @endo/promise-kit@1.2.0 - @endo/stream-node@1.2.0 - @endo/stream@1.3.0 - @endo/init@1.1.13 ## @endo/test262-runner@0.1.49 ### Patch Changes - Updated dependencies \[[`2e00276`](2e00276), [`2e00276`](2e00276), [`a29ecd4`](a29ecd4), [`81b4c40`](81b4c40)]: - ses@1.15.0 - @endo/compartment-mapper@2.0.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes: #2978
Description
This change introduces an
@endo/hardenpackage that allows packages to be written for use in a JS or a HardenedJS environment without modification. The@endo/hardenmodule provides a behavior that depends on the environment and packaging conditions.Without any packaging conditions, in a HardenedJS environment,
@endo/hardenprovides the environment’s “volume freezing”harden, meaning that it freezes the closure over both dimensions: transitive properties and prototypes.Also without any packaging conditions, if the environment does not provide a
harden,@endo/hardenprovides a “surface freezing”harden, meaning that it freezes the closure over only the one dimension: properties. This provides a modicum of immutability without interfering with shims or other mutations to shared, intrinsic prototypes.With the
hardenedcondition (node -C hardened,bundle-source -C hardened),@endo/hardenwill not retain an implementation ofhardenand will assert thathardenexisted asObject[Symbol.for('harden')]orglobalThis.hardenin the environment and vend out thatharden. This is useful to minimize the size of bundles that can safely presume that they will run in a HardenedJS environment.With the
noop-hardencondition (node -C noop-harden),@endo/hardenwill provide a version ofhardenthat returns its argument unaltered.With these new modes, we expect to deprecate the
lockdownoption for"unsafe"hardenTamingwhich goes further and replacesisExtensible,isFrozen, andisSealedwith versions that misreporttruefor extensible, unfrozen, or unsealed objects respectively. We hope that the new default behavior of surface hardening will suffice, but we leave thenoop-hardencondition as an option since that should have performance parity with unsafe harden taming for environments that need it.As a side-effect, every kind of
hardenwill install itself on first use atObject[Symbol.for('harden')]as a non-configurable property such that the first@endo/hardenimplementation used wins the race to define the hardening behavior of the realm. SES will install the same property at time oflockdown, but if it loses the race, will throw an exception indicating that the realm cannot be locked down because of unsafe usage ofhardenbeforelockdown, and render up the stack of the first use for diagnostic purposes.Security Considerations
The
@endo/hardenprovides a new mode of usage that is less safe thanlockdownfor environments in whichlockdownis not practical. We do not expect safety to regress in lockdown environments as a consequence.This change strengthens one safety guarantee: going forward, hardened modules using
@endo/hardenwill not be vulnerable to hosts that endow a compartment with a weakened version ofharden, because@endo/hardenalways favors theObject[Symbol.for('harden')]enshrined on a shared intrinsic hardened bylockdown.Scaling Considerations
Adopting
@endo/hardenwill increase the size of bundles, and since this change adopts@endo/hardenthroughout the Endo stack, this bundle size increase may become problematic for systems close to their bundle size limits. We provide the bundler conditionhardenedto mitigate this problem.Documentation Considerations
hardenedbundle condition to mitigate the bundle size increase.Testing Considerations
This change adds configurations to
sesAvaConfigswhere adopting@endo/hardenallows those packages to be used in more configurations. The salient configuration Endo with shims installed only, without calling Lockdown, in the cases where packages continue to rely on Assert or Eventual Send. We hope in time to test in the Base configuration, without any shims. Some packages are able to adopt the No-op mode of harden and are accordingly tested in that mode.Compatibility Considerations
This change is additive apart from the expected increase in bundle size, for which we provide a mitigation.
Upgrade Considerations
None.