Awesome Endeavour - unsafe-eval no more!

[dignifiedquire]

To make sure js-ipfs runs in all environments safely we want to get rid of all unsafe eval instances. The first round will be moving from protocol-buffers to protobufjs protons.

• libp2p-crypto - fix: switch protobufjs libp2p/js-libp2p-crypto#107 feat: switch protocol-buffers to protons libp2p/js-libp2p-crypto#110
• libp2p-identify - feat: replace protocol-buffers with protons libp2p/js-libp2p-identify#42
• libp2p-secio - feat: replace protocol-buffers with protons libp2p/js-libp2p-secio#93
• libp2p-record - feat: replace protocol-buffers with protons libp2p/js-libp2p-record#5
• libp2p-swarm - fix: remove unused protocol-buffers dep libp2p/js-libp2p-switch#230
• ipld-dag-pb - fix: switch to protobufjs ipld/js-ipld-dag-pb#39 feat: replace protocol-buffers with protons ipld/js-ipld-dag-pb#42
• ipfs-unixfs - fix: switch to protobuf.js js-ipfs-unixfs#18 Feat/protons js-ipfs-unixfs#19
• ipfs-bitswap - feat: replace protocol-buffers with protons js-ipfs-bitswap#149
• libp2p-floodsub - feat: replace protocol-buffers with protons libp2p/js-libp2p-floodsub#48
• libp2p-kad-dht - feat: replace protocol-buffers with protons libp2p/js-libp2p-kad-dht#16
• peer-id deps update - feat(deps): update aegir and libp2p-crypto libp2p/js-peer-id#67

[daviddias]

Code coverage is dropping dramatically with this change because it is trying to check if we test the newly generated code:

• Coverage (either Coveralls or Codecov) is not running in this repo. ipld/js-ipld-dag-pb#40
• fix: switch to protobuf.js js-ipfs-unixfs#18 (comment)

[dignifiedquire]

Just published a release of aegir which allows to ignore files from coverage: aegir coverage --ignore src/somefile.js

[daviddias]

Needs this to get done - ipld/js-ipld-dag-pb#41

[dignifiedquire]

Good news, we don't need to migrate, just use this version of protocol-buffers I made which switches to regular functions instead of generating them and evaling:

https://github.com/dignifiedquire/protocol-buffers/tree/fixes

perf is a bit worse, but not that bad

npm (encode) x 482,202 ops/sec ±3.14% (85 runs sampled)
npm (decode) x 1,863,500 ops/sec ±1.23% (91 runs sampled)
npm(encode + decode) x 349,692 ops/sec ±1.66% (82 runs sampled)
local (encode) x 423,864 ops/sec ±1.51% (88 runs sampled)
local (decode) x 1,042,350 ops/sec ±1.19% (94 runs sampled)
local(encode + decode) x 294,290 ops/sec ±1.39% (89 runs sampled)

[daviddias]

Awesome @dignifiedquire !

Might make it a real module and not a fork (i.e maintained, CI, published to npm, etc)?

[dignifiedquire]

Probably yes

[dignifiedquire]

Renamed to protons: https://github.com/dignifiedquire/protons publish coming soon

[dignifiedquire]

Just published https://www.npmjs.com/package/protons

[daviddias]

Awesome. Make sure to have a reference in the README to the original module and the reason that lead to the fork, other people will find useful.

[dignifiedquire]

there already is?

[dignifiedquire]

@diasdavid PRs are ready for you to review

[daviddias]

Ok, everything merged, released and all the deps in the middle were also updated to make sure that npm always installs the latest patch version.

Test away :)

[daviddias]

Tracking results:

• Results in ipfs-companion Remove use of unsafe-eval ipfs-companion#269 (comment)
• Results in brave integration IPFS Integration ipfs-inactive/browser-laptop#1 (comment)

[dignifiedquire]

Missed two modules

npm ls protocol-buffers
ipfs@0.25.4 /Users/dignifiedquire/opensource/ipfs/js-ipfs
├─┬ libp2p-floodsub@0.11.0
│ └─┬ libp2p-crypto@0.9.4
│   └── protocol-buffers@3.2.1  deduped
└─┬ libp2p-kad-dht@0.5.0
  └── protocol-buffers@3.2.1

[daviddias]

> npm ls protocol-buffers
ipfs@0.25.4 /Users/imp/code/js-ipfs
└── (empty)

[dignifiedquire]

Closing?

[daviddias]