2025-06-02 Releases
@endo/pass-style v1.6.0
BROKEN BUT PATCHED in 1.6.1, this version introduced a dependence on the
underlying platform supporting ArrayBuffer.prototype.transferToImmutable.
The patch restores the ability to use pass-style on older platforms without
the immutable ArrayBuffer shim (as entrained by ses).
- Introduces support for
byteArray.
ses v1.13.0
-
Two new
stackFiltering:options are added'omit-frames'-- Only omit likely uninteresting frames. Keep original paths.'shorten-paths'-- Only shorten paths to text likely clickable in an IDE
This fills out the matrix of what should have been orthogonal options. The existing
'concise'setting both omits likely uninteresting frames and shortens their paths. The existing'verbose'setting does neither. -
Uses the
@endo/immutable-arraybuffershim to addArrayBuffer.p.immutable,ArrayBuffer.p.transferToImmutable, andArrayBuffer.p.sliceToImmutableto ses, in order to emulate the Immutable ArrayBuffer proposal. These make an ArrayBuffer-like object whose contents cannot be mutated. However, due to limitations of the shim- Unlike
ArrayBufferandSharedArrayBufferthis shim's ArrayBuffer-like object cannot be transfered or cloned between JS threads. - Unlike
ArrayBufferandSharedArrayBuffer, this shim's ArrayBuffer-like object cannot be used as the backing store of TypeArrays or DataViews. - The shim depends on the platform providing either
structuredCloneorArray.prototype.transfer. Node <= 16 and provides neither, causing the shim to fail to initialize, and therefore SES to fail to initialize on such platforms. - Current Hermes has even stronger constraints, lacking
structuredClone,transfer, private fields, and evenclasssyntax. This requires other coping strategies. See #2785 - Even after the upcoming
transferToImmutableproposal is implemented by the platform, the current code will still replace it with the shim implementation, in accord with shim best practices. See #2311 (comment) . It will require a later manual step to delete the shim or have it avoid overriting a platform implementation, after manual analysis of the compat implications.
- Unlike
-
The evalTaming option
'safe-eval'now can only throw errorSES_DIRECT_EVAL. This allows SES to initialize with'unsafe-eval'or'no-eval'on hosts with no direct eval available such as Hermes for a successful lockdown that tolerates it's language features.The module name
ses/hermescan now be required to calllockdownandrepairIntrinsicsonly,Compartmentis not yet available.It is currently compatible with Hermes v0.12.0, we plan to support v0.13.0 then subsequent Hermes tags or side-by-side versions built for React Native depending on ecosystem usage and official support, then Static Hermes when released.
Also
ses/hermescan now be hooked into bundlers such as Metro to run Hardened JS.
@endo/compartment-mapper v1.6.1
- The
devflag formapNodeModules()is no longer deprecated. The concept of a "condition" (conditional exports) is disinct from the flag's original meaning (instructsmapNodeModules()to considerdevDependencieswhen graphing packages). Users who have switched to using adevelopmentcondition fordev's purpose are encouraged to switch back to using thedevflag instead. In a future release, the presence of adevelopmentcondition will no longer mimic an enableddevflag and will only be considered when evaluating conditional exports.
@endo/evasive-transform v2.0.0
- The
sourceTypeoption is now restricted toscriptandmoduleonly. Function signature types have changed to be more precise.
@endo/bundle-source v4.1.0
- The
'endoZipBase64'moduleFormat now utilizes theimportHookoption to exit dependencies whose specifiers return a truthy value.
@endo/import-bundle v1.5.0
- The
'endoZipBase64'moduleFormat now utilizes theimportHookoption.
@endo/marshal v1.7.0
@endo/marshalnow also exports aqpfunction meaning "quote passable"
that renders its passable argument as a quasi-quoted Justin expression.
This can be used withX,Failetc the same way you currently useq.
Since Justin is a subset of HardenedJS, there's no need for the quasi-quoted
form to explain what language it is in.