Skip to content

Version Packages#3104

Open
github-actions[bot] wants to merge 1 commit intomasterfrom
changeset-release/master
Open

Version Packages#3104
github-actions[bot] wants to merge 1 commit intomasterfrom
changeset-release/master

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Feb 26, 2026
edited by kriskowal
Loading

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to master, this PR will be updated.

Releases

ses@2.0.0

Major Changes

  • #3153 e619205 Thanks @erights! - # Plug NaN Side-channel

    The JavaScript language can leak the bit encoding of a NaN via shared TypedArray views of an common ArrayBuffer. Although the JavaScript language has only one NaN value, the underlying IEEE 754 double-precision floating-point representation has many different bit patterns that represent NaN. This can be exploited as a side-channel to leak information. This actually happens on some platforms such as v8.

    @ChALkeR explains at Normative: Allow NaN values to be *optionally* canonicalized tc39/ecma262#758 (comment) that the behavior of this side-channel on v8. At https://junk.rray.org/poc/nani.html he demonstrates it, and it indeed even worse than I expected.

    To plug this side-channel, we make two coordinated changes.

    • We stop listing the Float*Array constructors as universal globals. This prevents them from being implicitly endowed to created compartments, because they are not harmless. However, we still keep them on the start compartment (the original global), consider them intrinsics, and still repair and harden them on lockdown(). Thus, they can be explicitly endowed to child compartments at the price of enabling code in that compartment to read the side-channel.
    • On lockdown(), we repair the DataView.prototype.setFloat* methods so that they only write canonical NaNs into the underlying ArrayBuffer.

    The @endo.marshal package's encodePassable encodings need to obtain the bit representation of floating point values. It had used Float64Array for that. However, sometimes the @endo/marshal package is evaluated in a created compartment that would now lack that constructor. (This reevaluation typically occurs when bundling bundles in that package.) So instead, encodePassable now uses the DataView methods which are now safe.

Minor Changes

  • #3129 a675d8e Thanks @erights! - overrideTaming: 'moderate' includes overrideTaming: 'min'.

    Previously overrideTaming: 'min' correctly enabled Iterator.prototype.constructor to be overridden by assignment, but due to an oversight, overrideTaming: 'moderate' did not. Now it does.

    To make such mistakes less likely, this PR also adopts a style where all records within larger enablements triple-dot the corresponding record from a smaller enablement, if present.

@endo/bundle-source@4.3.0

Minor Changes

  • #3180 7f7ae8e Thanks @turadg! - BundleCache.load() is now generic on the format option:

    • Omitted (default) → Promise<BundleSourceResult<'endoZipBase64'>>
    • Literal format → Promise<BundleSourceResult<format>>
    • Runtime-typed ModuleFormatPromise<BundleSourceResult<ModuleFormat>>

    Previously load() returned Promise<unknown>, requiring callers to assert the bundle shape.

Patch Changes

@endo/common@1.4.0

Minor Changes

  • #3172 98c89b7 Thanks @turadg! - Add objectExtendEach helper for merging a sequence of objects into an accumulator, with precise TypeScript inference of the resulting intersection type.

Patch Changes

  • Updated dependencies [f65b000, d1d9625]:
    • @endo/eventual-send@1.5.0
    • @endo/promise-kit@1.2.1
    • @endo/errors@1.3.1
    • @endo/harden@1.1.0

@endo/compartment-mapper@2.1.0

Minor Changes

  • #3132 b4820dc Thanks @boneskull! - Expose _redundantPreloadHook option in captureFromMap(), which will be called for each item in the _preload array that was already indirectly loaded via the entry Compartment.

    Fixes a bug in the type of _preload option, which now allows for mixed arrays.

    Fixes a bug in the preloader, which was not exhaustively checking if a non-entry module was already loaded via the entry Compartment.

Patch Changes

  • #3111 154102b Thanks @boneskull! - Fix type of PackageDataHook.packageData which now correctly allows $root$ as a key.

  • #3173 acbacba Thanks @boneskull! - Fixes potential issue wherein a canonical name may be computed incorrectly. Includes performance improvements.

  • #3157 cdb6eae Thanks @boneskull! - Dramatically improve performance of canonical name (shortest path) computation in mapNodeModules().

  • #3127 6ada52b Thanks @turadg! - Remove stale runtime dependencies from package manifests.

  • #3115 1cd1246 Thanks @boneskull! - Remove unused "error" ModuleSourceHookModuleSource type.

  • Updated dependencies [e619205, 6ada52b, a675d8e]:

    • ses@2.0.0
    • @endo/module-source@1.4.1

@endo/eventual-send@1.5.0

Minor Changes

  • #3172 f65b000 Thanks @turadg! - Improve E() type inference and publicly export method-projection helpers.

    • RemoteFunctions, PickCallable, and ECallableOrMethods now short-circuit on any, preventing E(anyValue) from collapsing to an unusable type.
    • EMethods, EGetters, and related helpers are now part of the public type surface, so downstream packages can name the projected shapes E() produces.

    Compile-time type changes only; no runtime behavior changes.

Patch Changes

  • Updated dependencies []:
    • @endo/harden@1.1.0

@endo/exo@1.7.0

Minor Changes

  • #3172 88bc2b9 Thanks @turadg! - Improve TypeScript inference for patterns, exo, and pass-style. These are compile-time type changes only; no runtime behavior changes.

    • pass-style: CopyArray<T> is now readonly T[] so readonly tuples (e.g. readonly ['ibc']) satisfy Passable. Backward-compatible because T[] still extends readonly T[].
    • patterns: M.remotable() defaults to any (matching M.promise()), so unparameterized remotables are assignable to concrete remotable typedefs. The parameterized form M.remotable<typeof SomeInterfaceGuard>() still yields precise inference.
    • patterns: TFRemotable returns any (not Payload) for non-InterfaceGuard arguments.
    • patterns: TFOr handles array-of-patterns and falls back through TFAnd; M.undefined() maps to void.
    • patterns: TFOptionalTuple emits truly optional elements; M.promise() maps to PromiseLike.
    • patterns: TFSplitRecord handles the empty-rest case correctly.
    • patterns: TFRestArgs unwraps array patterns.
    • patterns: TypeFromArgGuard discriminates by toStringTag, not structural shape.
    • patterns: MatcherOf payload is preserved through InterfaceGuard.
    • patterns: new CastedPattern<T> for unchecked type assertions in pattern position.
    • exo: defineExoClass, defineExoClassKit, and makeExo no longer intersect facet constraints with & Methods. The previous constraint collapsed specific facet keys into the string | number | symbol index signature, making FilteredKeys return never and erasing facet method inference (Pick<X, never> = {}).
    • exo: Guarded<M, G> is now structurally compatible across G, and the kit F constraint is widened.
    • exo: defineExoClassKit preserves facet inference when no guard is supplied.

    TypeScript consumers that were working around the previous inference gaps with casts may be able to remove those casts. Downstream code that depended on the narrower CopyArray<T> = T[] or the previous M.remotable() default may need minor adjustments.

  • #3133 9111b4e Thanks @turadg! - feat: infer TypeScript types from pattern guards

    • TypeFromPattern<P> — infer static types from any pattern matcher
    • TypeFromMethodGuard<G> — infer function signatures from M.call() / M.callWhen() guards
    • TypeFromInterfaceGuard<G> — infer method records from interface guard definitions
    • M.remotable<typeof Guard>() — facet-isolated return types in exo kits
    • M.infer<typeof pattern> — namespace shorthand analogous to z.infer
    • matches and mustMatch now narrow the specimen type via type predicates
    • makeExo, defineExoClass, and defineExoClassKit enforce method signatures against guards at compile time

    These are compile-time type changes only; there are no runtime behavioral changes.
    Existing TypeScript consumers may see new type errors where method signatures diverge from their guards.

Patch Changes

@endo/pass-style@1.8.0

Minor Changes

  • #3172 88bc2b9 Thanks @turadg! - Improve TypeScript inference for patterns, exo, and pass-style. These are compile-time type changes only; no runtime behavior changes.

    • pass-style: CopyArray<T> is now readonly T[] so readonly tuples (e.g. readonly ['ibc']) satisfy Passable. Backward-compatible because T[] still extends readonly T[].
    • patterns: M.remotable() defaults to any (matching M.promise()), so unparameterized remotables are assignable to concrete remotable typedefs. The parameterized form M.remotable<typeof SomeInterfaceGuard>() still yields precise inference.
    • patterns: TFRemotable returns any (not Payload) for non-InterfaceGuard arguments.
    • patterns: TFOr handles array-of-patterns and falls back through TFAnd; M.undefined() maps to void.
    • patterns: TFOptionalTuple emits truly optional elements; M.promise() maps to PromiseLike.
    • patterns: TFSplitRecord handles the empty-rest case correctly.
    • patterns: TFRestArgs unwraps array patterns.
    • patterns: TypeFromArgGuard discriminates by toStringTag, not structural shape.
    • patterns: MatcherOf payload is preserved through InterfaceGuard.
    • patterns: new CastedPattern<T> for unchecked type assertions in pattern position.
    • exo: defineExoClass, defineExoClassKit, and makeExo no longer intersect facet constraints with & Methods. The previous constraint collapsed specific facet keys into the string | number | symbol index signature, making FilteredKeys return never and erasing facet method inference (Pick<X, never> = {}).
    • exo: Guarded<M, G> is now structurally compatible across G, and the kit F constraint is widened.
    • exo: defineExoClassKit preserves facet inference when no guard is supplied.

    TypeScript consumers that were working around the previous inference gaps with casts may be able to remove those casts. Downstream code that depended on the narrower CopyArray<T> = T[] or the previous M.remotable() default may need minor adjustments.

Patch Changes

  • #3127 6ada52b Thanks @turadg! - Remove stale runtime dependencies from package manifests.

  • Updated dependencies [98c89b7, f65b000, d1d9625]:

    • @endo/common@1.4.0
    • @endo/eventual-send@1.5.0
    • @endo/promise-kit@1.2.1
    • @endo/errors@1.3.1
    • @endo/harden@1.1.0

@endo/patterns@1.9.0

Minor Changes

  • #3067 8195a5a Thanks @gibson042! - - Updates containerHasSplit to consider copyArray elements in forward order,
    better aligning with intuition.

  • #3172 88bc2b9 Thanks @turadg! - Improve TypeScript inference for patterns, exo, and pass-style. These are compile-time type changes only; no runtime behavior changes.

    • pass-style: CopyArray<T> is now readonly T[] so readonly tuples (e.g. readonly ['ibc']) satisfy Passable. Backward-compatible because T[] still extends readonly T[].
    • patterns: M.remotable() defaults to any (matching M.promise()), so unparameterized remotables are assignable to concrete remotable typedefs. The parameterized form M.remotable<typeof SomeInterfaceGuard>() still yields precise inference.
    • patterns: TFRemotable returns any (not Payload) for non-InterfaceGuard arguments.
    • patterns: TFOr handles array-of-patterns and falls back through TFAnd; M.undefined() maps to void.
    • patterns: TFOptionalTuple emits truly optional elements; M.promise() maps to PromiseLike.
    • patterns: TFSplitRecord handles the empty-rest case correctly.
    • patterns: TFRestArgs unwraps array patterns.
    • patterns: TypeFromArgGuard discriminates by toStringTag, not structural shape.
    • patterns: MatcherOf payload is preserved through InterfaceGuard.
    • patterns: new CastedPattern<T> for unchecked type assertions in pattern position.
    • exo: defineExoClass, defineExoClassKit, and makeExo no longer intersect facet constraints with & Methods. The previous constraint collapsed specific facet keys into the string | number | symbol index signature, making FilteredKeys return never and erasing facet method inference (Pick<X, never> = {}).
    • exo: Guarded<M, G> is now structurally compatible across G, and the kit F constraint is widened.
    • exo: defineExoClassKit preserves facet inference when no guard is supplied.

    TypeScript consumers that were working around the previous inference gaps with casts may be able to remove those casts. Downstream code that depended on the narrower CopyArray<T> = T[] or the previous M.remotable() default may need minor adjustments.

  • #3133 9111b4e Thanks @turadg! - feat: infer TypeScript types from pattern guards

    • TypeFromPattern<P> — infer static types from any pattern matcher
    • TypeFromMethodGuard<G> — infer function signatures from M.call() / M.callWhen() guards
    • TypeFromInterfaceGuard<G> — infer method records from interface guard definitions
    • M.remotable<typeof Guard>() — facet-isolated return types in exo kits
    • M.infer<typeof pattern> — namespace shorthand analogous to z.infer
    • matches and mustMatch now narrow the specimen type via type predicates
    • makeExo, defineExoClass, and defineExoClassKit enforce method signatures against guards at compile time

    These are compile-time type changes only; there are no runtime behavioral changes.
    Existing TypeScript consumers may see new type errors where method signatures diverge from their guards.

  • #3133 df84eea Thanks @turadg! - Add optional label parameter to M.promise(), aligning its signature
    with M.remotable(label?). When a label is provided, runtime error
    messages include it for diagnostics (e.g., "Must be a promise Foo, not
    remotable").

Patch Changes

  • #3127 6ada52b Thanks @turadg! - Remove stale runtime dependencies from package manifests.

  • Updated dependencies [98c89b7, f65b000, 88bc2b9, e619205, 6ada52b]:

    • @endo/common@1.4.0
    • @endo/eventual-send@1.5.0
    • @endo/pass-style@1.8.0
    • @endo/marshal@1.9.1
    • @endo/errors@1.3.1
    • @endo/harden@1.1.0

@endo/errors@1.3.1

Patch Changes

  • Updated dependencies [e619205, a675d8e]:
    • ses@2.0.0
    • @endo/harden@1.1.0

@endo/import-bundle@1.6.1

Patch Changes

@endo/lockdown@1.0.19

Patch Changes

@endo/lp32@1.2.1

Patch Changes

  • #3127 6ada52b Thanks @turadg! - Remove stale runtime dependencies from package manifests.

  • Updated dependencies []:

    • @endo/errors@1.3.1
    • @endo/harden@1.1.0
    • @endo/stream@1.3.1

@endo/marshal@1.9.1

Patch Changes

  • #3153 e619205 Thanks @erights! - # Plug NaN Side-channel

    The JavaScript language can leak the bit encoding of a NaN via shared TypedArray views of an common ArrayBuffer. Although the JavaScript language has only one NaN value, the underlying IEEE 754 double-precision floating-point representation has many different bit patterns that represent NaN. This can be exploited as a side-channel to leak information. This actually happens on some platforms such as v8.

    @ChALkeR explains at Normative: Allow NaN values to be *optionally* canonicalized tc39/ecma262#758 (comment) that the behavior of this side-channel on v8. At https://junk.rray.org/poc/nani.html he demonstrates it, and it indeed even worse than I expected.

    To plug this side-channel, we make two coordinated changes.

    • We stop listing the Float*Array constructors as universal globals. This prevents them from being implicitly endowed to created compartments, because they are not harmless. However, we still keep them on the start compartment (the original global), consider them intrinsics, and still repair and harden them on lockdown(). Thus, they can be explicitly endowed to child compartments at the price of enabling code in that compartment to read the side-channel.
    • On lockdown(), we repair the DataView.prototype.setFloat* methods so that they only write canonical NaNs into the underlying ArrayBuffer.

    The @endo.marshal package's encodePassable encodings need to obtain the bit representation of floating point values. It had used Float64Array for that. However, sometimes the @endo/marshal package is evaluated in a created compartment that would now lack that constructor. (This reevaluation typically occurs when bundling bundles in that package.) So instead, encodePassable now uses the DataView methods which are now safe.

  • #3127 6ada52b Thanks @turadg! - Remove stale runtime dependencies from package manifests.

  • Updated dependencies [98c89b7, f65b000, 88bc2b9, 6ada52b]:

    • @endo/common@1.4.0
    • @endo/eventual-send@1.5.0
    • @endo/pass-style@1.8.0
    • @endo/errors@1.3.1
    • @endo/harden@1.1.0
    • @endo/nat@5.2.0

@endo/memoize@1.2.1

Patch Changes

  • #3107 05cdb5f Thanks @erights! - @endo/memoize no longer depends on ses, just @endo/harden

  • Updated dependencies []:

    • @endo/harden@1.1.0

@endo/module-source@1.4.1

Patch Changes

@endo/netstring@1.1.1

Patch Changes

  • #3127 6ada52b Thanks @turadg! - Remove stale runtime dependencies from package manifests.

  • Updated dependencies [d1d9625]:

    • @endo/promise-kit@1.2.1
    • @endo/harden@1.1.0
    • @endo/stream@1.3.1

@endo/promise-kit@1.2.1

Patch Changes

  • #3108 d1d9625 Thanks @erights! - @endo/promise-kit no longer depends on ses, just @endo/harden

  • Updated dependencies []:

    • @endo/harden@1.1.0

@endo/ses-ava@1.4.1

Patch Changes

  • Updated dependencies [e619205, a675d8e]:
    • ses@2.0.0
    • @endo/harden@1.1.0

@endo/stream@1.3.1

Patch Changes

@endo/stream-node@1.2.1

Patch Changes

  • #3127 6ada52b Thanks @turadg! - Remove stale runtime dependencies from package manifests.

  • Updated dependencies []:

    • @endo/errors@1.3.1
    • @endo/harden@1.1.0
    • @endo/stream@1.3.1

@endo/ocapn@0.3.0

Minor Changes

  • #3172 6405b36 Thanks @turadg! - Parameterize CapTP slot types and improve TypeScript 6 conformance across the OCapN client surface. Compile-time type changes only; no runtime behavior changes.

Patch Changes

  • Updated dependencies [f65b000, d1d9625, 88bc2b9, e619205, 6ada52b]:
    • @endo/eventual-send@1.5.0
    • @endo/promise-kit@1.2.1
    • @endo/pass-style@1.8.0
    • @endo/marshal@1.9.1
    • @endo/harden@1.1.0
    • @endo/nat@5.2.0

@endo/daemon@2.5.3

Patch Changes

@endo/stream-types-test@1.0.19

Patch Changes

  • Updated dependencies [e619205, a675d8e]:
    • ses@2.0.0
    • @endo/nat@5.2.0
    • @endo/stream@1.3.1

@endo/test262-runner@0.1.50

Patch Changes

@github-actions github-actions bot force-pushed the changeset-release/master branch 4 times, most recently from d1d413a to d552af5 Compare March 6, 2026 00:00
@github-actions github-actions bot force-pushed the changeset-release/master branch 4 times, most recently from 52c4c23 to 15c4fb7 Compare March 17, 2026 20:58
@kriskowal kriskowal force-pushed the changeset-release/master branch from 15c4fb7 to 2bf3ff7 Compare March 30, 2026 20:36
@kriskowal kriskowal force-pushed the changeset-release/master branch 6 times, most recently from df278cb to e96c043 Compare April 14, 2026 21:43
@kriskowal kriskowal force-pushed the changeset-release/master branch from e96c043 to 9aa3e01 Compare April 14, 2026 23:21
@kriskowal kriskowal force-pushed the changeset-release/master branch from 9aa3e01 to 65e835e Compare April 15, 2026 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boneskull boneskull boneskull approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@boneskull