-
-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): Upgrade symbol-observable to version 2 #315
Conversation
symbol-observable instead of symbol-observer in the commit message. |
Done. |
Ah, I missed an important detail. |
Well, evidently only being passingly familiar with TypeScript has proven a hindrance in converting |
Hey @kriskowal, thanks for the PR. It looks all good to me, I don't understand what you meant with ponyfill instead of polyfill, it seems like symbol-observable is already a ponyfill. And I think I would call this a non-breaking change because xstream was released in 2016, two years after the browsers you mentioned here were updated. The only change I would make is fixing the commit message to not have an exclamation mark, it's not a convention in this repo. But I can do this as a "squash and merge". |
@staltz |
@kriskowal Alright, but can you help me understand why change xstream from |
@staltz That is correct. To be fully pedantic, |
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks. For example, `xstream` is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures. This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported. Closes staltz#312
This is ready for review again. What’s changed?
|
@staltz Thank you for your feedback. I’ve addressed that and upgraded the necessary dependencies. I’ve not made a change that freezes the the primordials before running tests, but can do that in a follow-up if that’s desirable. For now, the posted changes are sufficient for anyone using |
Thanks @kriskowal. One question about the |
Interesting. Otherwise, some JS environments, particularly the XS engine, only realizes the global object by the name SES does not require that you use the |
@kriskowal Okay, bummer that |
Released |
This upgrade brings xstream into the set of npm packages that can be safely run without any mutation of primordial prototypes. Such packages can be used in applications that freeze the prototypes to mitigate prototype pollution supply chain attacks. For example,
xstream
is in the supply chain for the CosmJS financial instruments project and would benefit from such safety measures.This is considered a breaking change on account of the unlikely possibility that a platform exists that does not support both Symbol and Symbol.for. This hypothetical platform would no longer be supported.
Closes #312