New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Deps] remove function-bind
dependency
#16
Conversation
Close to 90% of the bundle size is due to `function-bind` dependency. By removing this dependency, the package is lighter and we save bits for the planet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This causes the package to be broken when someone does delete Function.prototype.call
later.
If someone will |
There’s no defense from first-run code. That node breaks in this case doesn’t change that browsers don’t, and this package (like most) is designed to also run in the browser. |
There’s also no way to defend against .call deletion in an engine without a native bind - so the current state of the package is the best possible balance of robustness and correctness. |
@ljharb In a sense my proposal reduces the attack surface. In the current implementation, if In contrast the proposed change reduces the attack surface at the redefinition or deletion of |
It is always assumed that the module is evaluated in a clean realm (because nothing else is remotely defensible) - meaning, Function.prototype.bind either exists (native, or polyfilled) or does not. In the former case, function-bind just provides the native method. In the latter case, you’re right that https://unpkg.com/browse/function-bind@1.1.1/implementation.js has a number of attack surfaces at runtime - but the solution is to harden that package, not weaken this one. |
@ljharb |
Hi!
Close to 90% of the bundle size is due to
function-bind
dependency. By removing this dependency, the package is lighter and we save bits for the planet :)