Freeze Promise global on boot #7309
Conversation
|
Interesting - I wonder if we still need to mutate the Promise global in tests. It looks like it was done to enable catching of uncaught exceptions, but V8 has gotten better at that since it was written 🤔 |
When I attempted to run this as a normal unit test, the error seemed to come from a test dependency ( Edit: ah, the point of Bluebird in the testing environment is to help with the uncaught exceptions? |
|
Yes, exactly. It's setup in |
We overwrite the global Promise with |
app/scripts/lib/freezeGlobals.js
Outdated
| } | ||
|
|
||
| if (value !== undefined) { | ||
| target[key] = deepFreeze() |
There was a problem hiding this comment.
I'm guessing this was meant to be
| target[key] = deepFreeze() | |
| target[key] = deepFreeze(target[key]) |
In which case it could just be taken out of the condition altogether, as both branches are identical.
There was a problem hiding this comment.
Wait, no.... maybe it should be
| target[key] = deepFreeze() | |
| opts.value = deepFreeze(value) |
As target[key] is getting overwritten 🤦♂️
There was a problem hiding this comment.
Haha, yes, the latter. Now shortened to: opts.value = deepFreeze(value)
It's my facepalm, not yours!
Per a security advisory from an audit, freezes the Promise global and prevents its reassignment on boot, in both the background and UI.
Pins the version of
deep-freeze-strictas we use it to freeze the Promise, and the point here is to prevent certain supply chain attacks.Adds new tests (
test:unit:global) that are run in CI. These tests must be separate as freezing the Promise global breaks our normal test environments (at least the unit tests).Removes
tapefromdevDependencies, as we were not actually using that for anything.Marked as needs QA since if a dependency modifies the Promise global, an error will be thrown that they probably won't catch. I imagine they'll usually do something like that in their entry file, but you never know.