-
-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade symbol-observable to ^2 #312
Comments
23 tasks
kriskowal
added a commit
to agoric-labs/xstream
that referenced
this issue
Sep 21, 2020
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks. For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures. This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported. Closes staltz#312
kriskowal
added a commit
to agoric-labs/xstream
that referenced
this issue
Sep 21, 2020
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks. For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures. This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported. Closes staltz#312
kriskowal
added a commit
to agoric-labs/xstream
that referenced
this issue
Oct 8, 2020
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks. For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures. This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported. Closes staltz#312
kriskowal
added a commit
to agoric-labs/xstream
that referenced
this issue
Oct 8, 2020
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks. For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures. This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported. Closes staltz#312
staltz
pushed a commit
that referenced
this issue
Oct 12, 2020
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks. For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures. This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported. Closes #312
Released |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
symbol-observable version 2 was released, including a fix that allows us to use SES and LavaMoat as a defense against prototype pollution and supply chain attacks.
The CHANGELOG contains the following warning
According to caniuse.com, Symbol and Symbol.for have practically the same support. The only difference I see is in Chrome 38-39 (released in 2014) and Opera 25-26 (released in 2014).
The text was updated successfully, but these errors were encountered: