Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade symbol-observable to ^2 #312

Closed
webmaster128 opened this issue Sep 7, 2020 · 1 comment · Fixed by #315
Closed

Upgrade symbol-observable to ^2 #312

webmaster128 opened this issue Sep 7, 2020 · 1 comment · Fixed by #315

Comments

@webmaster128
Copy link

symbol-observable version 2 was released, including a fix that allows us to use SES and LavaMoat as a defense against prototype pollution and supply chain attacks.

The CHANGELOG contains the following warning

BREAKING CHANGE: This moves to using Symbol.for to create the symbol instance. It's possible that some runtimes that support Symbol do not support Symbol.for. Therefor, I'm marking this as a breaking change. If you find that you hit this issue, please report it. You can work around it by polyfilling Symbol.for.

According to caniuse.com, Symbol and Symbol.for have practically the same support. The only difference I see is in Chrome 38-39 (released in 2014) and Opera 25-26 (released in 2014).
@webmaster128 webmaster128 mentioned this issue Sep 7, 2020
Open
23 tasks
kriskowal added a commit to agoric-labs/xstream that referenced this issue Sep 21, 2020
@kriskowal
chore(deps)!: Upgrade symbol-observer to version 2
0ad5bcd 
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks.  For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures.

This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported.

Closes staltz#312
@kriskowal kriskowal mentioned this issue Sep 21, 2020
Merged
kriskowal added a commit to agoric-labs/xstream that referenced this issue Sep 21, 2020
@kriskowal
chore(deps)!: Upgrade symbol-observable to version 2
dddeefe 
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks.  For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures.

This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported.

Closes staltz#312
kriskowal added a commit to agoric-labs/xstream that referenced this issue Oct 8, 2020
@kriskowal
chore(deps)!: Upgrade symbol-observable to version 2
eab94bf 
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks.  For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures.

This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported.

Closes staltz#312
kriskowal added a commit to agoric-labs/xstream that referenced this issue Oct 8, 2020
@kriskowal
chore(deps): Upgrade symbol-observable to version 2
9cdd8e2 
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks.  For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures.

This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported.

Closes staltz#312
staltz pushed a commit that referenced this issue Oct 12, 2020
@kriskowal @staltz
chore(deps): Upgrade symbol-observable to version 2
81bbaff 
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks.  For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures.

This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported.

Closes #312
@staltz
Copy link
Owner

staltz commented Oct 12, 2020

Released xstream@11.14.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): Upgrade symbol-observable to version 2 agoric-labs/xstream
2 participants
@staltz @webmaster128