Skip to content

chore(deps): Bump ses from 1.1.0 to 1.13.0 #151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

chore(deps): Bump ses from 1.1.0 to 1.13.0 #151

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 4, 2025
edited
Loading

Bumps ses from 1.1.0 to 1.13.0.

Release notes

Sourced from ses's releases.

2025-06-02 Releases

ses v1.13.0

  • Two new stackFiltering: options are added

    • 'omit-frames' -- Only omit likely uninteresting frames. Keep original paths.
    • 'shorten-paths' -- Only shorten paths to text likely clickable in an IDE

    This fills out the matrix of what should have been orthogonal options. The existing 'concise' setting both omits likely uninteresting frames and shortens their paths. The existing 'verbose' setting does neither.

  • Uses the @endo/immutable-arraybuffer shim to add ArrayBuffer.p.immutable, ArrayBuffer.p.transferToImmutable, and ArrayBuffer.p.sliceToImmutable to ses, in order to emulate the Immutable ArrayBuffer proposal. These make an ArrayBuffer-like object whose contents cannot be mutated. However, due to limitations of the shim

    • Unlike ArrayBuffer and SharedArrayBuffer this shim's ArrayBuffer-like object cannot be transfered or cloned between JS threads.
    • Unlike ArrayBuffer and SharedArrayBuffer, this shim's ArrayBuffer-like object cannot be used as the backing store of TypeArrays or DataViews.
    • The shim depends on the platform providing either structuredClone or Array.prototype.transfer. Node <= 16 and provides neither, causing the shim to fail to initialize, and therefore SES to fail to initialize on such platforms.
    • Current Hermes has even stronger constraints, lacking structuredClone, transfer, private fields, and even class syntax. This requires other coping strategies. See endojs/endo#2785
    • Even after the upcoming transferToImmutable proposal is implemented by the platform, the current code will still replace it with the shim implementation, in accord with shim best practices. See endojs/endo#2311 . It will require a later manual step to delete the shim or have it avoid overriting a platform implementation, after manual analysis of the compat implications.

  • The evalTaming option 'safe-eval' now can only throw error SES_DIRECT_EVAL. This allows SES to initialize with 'unsafe-eval' or 'no-eval' on hosts with no direct eval available such as Hermes for a successful lockdown that tolerates it's language features.

    The module name ses/hermes can now be required to call lockdown and repairIntrinsics only, Compartment is not yet available.

    It is currently compatible with Hermes v0.12.0, we plan to support v0.13.0 then subsequent Hermes tags or side-by-side versions built for React Native depending on ecosystem usage and official support, then Static Hermes when released.

    Also ses/hermes can now be hooked into bundlers such as Metro to run Hardened JS.

@endo/compartment-mapper v1.6.1

  • The dev flag for mapNodeModules() is no longer deprecated. The concept of a "condition" (conditional exports) is disinct from the flag's original meaning (instructs mapNodeModules() to consider devDependencies when graphing packages). Users who have switched to using a development condition for dev's purpose are encouraged to switch back to using the dev flag instead. In a future release, the presence of a development condition will no longer mimic an enabled dev flag and will only be considered when evaluating conditional exports.

@endo/evasive-transform v2.0.0

  • The sourceType option is now restricted to script and module only. Function signature types have changed to be more precise.

@endo/bundle-source v4.1.0

  • The 'endoZipBase64' moduleFormat now utilizes the importHook option to exit dependencies whose specifiers return a truthy value.

@endo/import-bundle v1.5.0

  • The 'endoZipBase64' moduleFormat now utilizes the importHook option.

2025-03-24

ses v1.12.0

  • The evalTaming: option values are renamed:

    • from 'safeEval', 'unsafeEval', and 'noEval'
    • to 'safe-eval', 'unsafe-eval', and 'no-eval'

    in order to follow the convention that lockdown option values use kebob-case rather than camelCase. To avoid breaking old programs during the transition, the old names are deprecated, but continue to work for now.

... (truncated)

Changelog

Sourced from ses's changelog.

1.13.0 (2025-06-02)

Features

  • ses: ArrayBuffer.prototype.sliceToImmutable on Hermes (e432b14)
  • ses: ArrayBuffer.prototype.transferToImmutable (#2400) (d714d1d)
  • ses: Include ses-ava in stack frame filtering (bdbdb01)
  • ses: init SES with evalTaming unsafe-eval or no-eval (0dfaa8d)

Bug Fixes

  • ses,lockdown: make filenames in stacktraces clickable (#2747) (178e253), closes #2359 #2359
  • ses: avoid depth-first loading sequence in loadNow to prevent getting stuck in cycles (#2804) (37bfad6)

1.12.0 (2025-03-24)

Features

  • ses: add AsyncGeneratorFunctionInstance to commons (07516f5)
  • ses: bundle and export shim compatible with Hermes compiler (cafc398)
  • ses: create async arrow function transform with Babel for Hermes bundle (654791e)
  • ses: include async generators in anonymous intrinsics if supported (56ae460)
  • ses: support async generators in Hermes transform for CSP (24bbd5c)
  • ses: support CSP in commons AsyncGeneratorFunctionInstance (188c5d4)
  • ses: tame async generator function constructors if supported (eda8a61)

Bug Fixes

1.11.0 (2025-01-24)

Features

  • ses: Add XS variant of shim (f6c8456)
  • ses: Permit legacy properties of ModuleSource shim (75f2461)
  • ses: restrict dynamic permit on Hermes (14731fe)
  • ses: Support dynamic import (e56cc04)

... (truncated)

Commits
  • 571b780 chore(release): publish
  • 11c0eac docs: Update release notes
  • 13c173b chore(types): conform to TS 5.8.3
  • 6a5a410 chore(deps): bump typescript to 5.8.3
  • ae1fae2 test: fix ses-ava Ava usage
  • 7eb22cf lint: skipLibCheck in ses
  • b9c0a35 chore(types): conform
  • 589c0e5 lint: include eslint-ed files in tsconfig
  • 7108ca2 chore(types): conform "ses"
  • 108ddfe lint(types): include "test"
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): Bump ses from 1.1.0 to 1.13.0
785dc17 
Bumps [ses](https://github.com/endojs/endo/tree/HEAD/packages/ses) from 1.1.0 to 1.13.0.
- [Release notes](https://github.com/endojs/endo/releases)
- [Changelog](https://github.com/endojs/endo/blob/master/packages/ses/CHANGELOG.md)
- [Commits](https://github.com/endojs/endo/commits/[email protected]/packages/ses)

---
updated-dependencies:
- dependency-name: ses
  dependency-version: 1.13.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 4, 2025
@alainncls
Copy link
Collaborator

@dependabot rebase

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 4, 2025

Looks like ses is up-to-date now, so this is no longer needed.

@dependabot dependabot bot closed this Jun 4, 2025
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/ses-1.13.0 branch June 4, 2025 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alainncls