feat(compartment-mapper): expose experimental _redundantPreloadHook on captureFromMap#3132
Merged
Merged
Conversation
Member
Author
📚 Pull Request Stack
Managed by gh-stack |
🦋 Changeset detectedLatest commit: b4820dc The changes in this PR will be included in the next version bump. This PR includes changesets to release 7 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
boneskull
force-pushed
the
boneskull/redundant-preload-hook
branch
from
8cec61d to
29c437f
Compare
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Mar 21, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
Member
|
It looks correct, but I could use more elaboration on the topic of "what for exactly?" |
naugtur
approved these changes
Mar 27, 2026
Member
Author
|
@naugtur I've updated the description. |
…n captureFromMap
This adds a new hook option, `_redundantPreloadHook`, which is fired if and only if:
1. A canonical name w/ optional entry is present in the `_preload` array, _and_
2. The corresponding `Compartment` has already had its module sources loaded indirectly via loading the entry `Compartment`.
This better enables the caller to report the information to the end-user.
## Fixes
This change also fixes two bugs:
- The presence of `ModuleSource`s for a given `Compartment` does not imply _all_ preloaded modules have been loaded, as `_preload` may contain multiple entries for the same canonical name. It now checks individual entries.
- The type of `_preload` was incorrect; it demanded either an `Array<string>` _or_ an `Array<{name: string, entry: string}>`, when it should be possible to mix-and-match `string` and `{name: string, entry: string}` in the same array.
## Notes
- We could remove the `log()` call in `capture-lite.js`'s L187-L189 in lieu of the hook.
- Interested in any suggestions to avoid the assumption in `capture-lite.js`'s L181-L191; module resolution seems like a non-starter at this point, but maybe the mapping from `.` to a relative path exists in scope here already?
boneskull
force-pushed
the
boneskull/redundant-preload-hook
branch
from
29c437f to
b4820dc
Compare
Merged
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Apr 9, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Apr 11, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
turadg
added a commit
that referenced
this pull request
Apr 16, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to master, this PR will be updated. # Releases ## @endo/ocapn@1.0.0 ### Major Changes - [#3183](#3183) [`279c0c4`](279c0c4) Thanks [@kumavis](https://github.com/kumavis)! - Initial public release of `@endo/ocapn`. The package is no longer private and is now published to npm. Tested against the python test suite from 2026-01-06 <https://github.com/ocapn/ocapn-test-suite/commits/f0273f21c5ee05a28785b51c231535124f28bca9> ### Minor Changes - [#3172](#3172) [`6405b36`](6405b36) Thanks [@turadg](https://github.com/turadg)! - Parameterize CapTP slot types and improve TypeScript 6 conformance across the OCapN client surface. Compile-time type changes only; no runtime behavior changes. ### Patch Changes - Updated dependencies \[[`f65b000`](f65b000), [`d1d9625`](d1d9625), [`88bc2b9`](88bc2b9), [`e619205`](e619205), [`43165e5`](43165e5), [`6ada52b`](6ada52b)]: - @endo/eventual-send@1.5.0 - @endo/promise-kit@1.2.1 - @endo/pass-style@1.8.0 - @endo/marshal@1.9.1 - @endo/harden@1.1.0 - @endo/nat@5.2.0 ## ses@2.0.0 ### Major Changes - [#3153](#3153) [`e619205`](e619205) Thanks [@erights](https://github.com/erights)! - # Plug NaN Side-channel The JavaScript language can leak the bit encoding of a NaN via shared TypedArray views of an common ArrayBuffer. Although the JavaScript language has only one NaN value, the underlying IEEE 754 double-precision floating-point representation has many different bit patterns that represent NaN. This can be exploited as a side-channel to leak information. This actually happens on some platforms such as v8. @ChALkeR explains at <tc39/ecma262#758 (comment)> that the behavior of this side-channel on v8. At <https://junk.rray.org/poc/nani.html> he demonstrates it, and it indeed even worse than I expected. To plug this side-channel, we make two coordinated changes. - We stop listing the `Float*Array` constructors as universal globals. This prevents them from being implicitly endowed to created compartments, because they are not harmless. However, we still keep them on the start compartment (the original global), consider them intrinsics, and still repair and harden them on `lockdown()`. Thus, they can be explicitly endowed to child compartments at the price of enabling code in that compartment to read the side-channel. - On `lockdown()`, we repair the `DataView.prototype.setFloat*` methods so that they only write canonical NaNs into the underlying ArrayBuffer. The `@endo.marshal` package's `encodePassable` encodings need to obtain the bit representation of floating point values. It had used `Float64Array` for that. However, sometimes the `@endo/marshal` package is evaluated in a created compartment that would now lack that constructor. (This reevaluation typically occurs when bundling bundles in that package.) So instead, `encodePassable` now uses the `DataView` methods which are now safe. ### Minor Changes - [#3129](#3129) [`a675d8e`](a675d8e) Thanks [@erights](https://github.com/erights)! - `overrideTaming: 'moderate'` includes `overrideTaming: 'min'`. Previously `overrideTaming: 'min'` correctly enabled `Iterator.prototype.constructor` to be overridden by assignment, but due to an oversight, `overrideTaming: 'moderate'` did not. Now it does. To make such mistakes less likely, this PR also adopts a style where all records within larger enablements triple-dot the corresponding record from a smaller enablement, if present. ## @endo/bundle-source@4.3.0 ### Minor Changes - [#3180](#3180) [`7f7ae8e`](7f7ae8e) Thanks [@turadg](https://github.com/turadg)! - `BundleCache.load()` is now generic on the `format` option: - Omitted (default) → `Promise<BundleSourceResult<'endoZipBase64'>>` - Literal format → `Promise<BundleSourceResult<format>>` - Runtime-typed `ModuleFormat` → `Promise<BundleSourceResult<ModuleFormat>>` Previously `load()` returned `Promise<unknown>`, requiring callers to assert the bundle shape. ### Patch Changes - Updated dependencies \[[`154102b`](154102b), [`2b674ca`](2b674ca), [`d1d9625`](d1d9625), [`b4820dc`](b4820dc), [`acbacba`](acbacba), [`cdb6eae`](cdb6eae), [`6ada52b`](6ada52b), [`6ad084a`](6ad084a), [`1cd1246`](1cd1246)]: - @endo/compartment-mapper@2.1.0 - @endo/promise-kit@1.2.1 - @endo/harden@1.1.0 ## @endo/common@1.4.0 ### Minor Changes - [#3172](#3172) [`98c89b7`](98c89b7) Thanks [@turadg](https://github.com/turadg)! - Add `objectExtendEach` helper for merging a sequence of objects into an accumulator, with precise TypeScript inference of the resulting intersection type. ### Patch Changes - Updated dependencies \[[`f65b000`](f65b000), [`d1d9625`](d1d9625)]: - @endo/eventual-send@1.5.0 - @endo/promise-kit@1.2.1 - @endo/errors@1.3.1 - @endo/harden@1.1.0 ## @endo/compartment-mapper@2.1.0 ### Minor Changes - [#3132](#3132) [`b4820dc`](b4820dc) Thanks [@boneskull](https://github.com/boneskull)! - Expose `_redundantPreloadHook` option in `captureFromMap()`, which will be called for each item in the `_preload` array that was already indirectly loaded via the entry `Compartment`. Fixes a bug in the type of `_preload` option, which now allows for mixed arrays. Fixes a bug in the preloader, which was not exhaustively checking if a non-entry module was already loaded via the entry `Compartment`. - [#3048](#3048) [`6ad084a`](6ad084a) Thanks [@kriskowal](https://github.com/kriskowal)! - Add support for Node.js subpath pattern replacement in `package.json` `exports` and `imports` fields. Patterns like `"./features/*.js": "./src/features/*.js"` and `"#internal/*.js": "./lib/*.js"` are now resolved at link time using prefix/suffix string matching with specificity ordering. Null-target patterns exclude matching specifiers. Conditional pattern values are resolved through the standard condition-matching rules. Patterns are expanded to concrete module entries during archiving. ### Patch Changes - [#3111](#3111) [`154102b`](154102b) Thanks [@boneskull](https://github.com/boneskull)! - Fix type of `PackageDataHook.packageData` which now correctly allows `$root$` as a key. - [#3182](#3182) [`2b674ca`](2b674ca) Thanks [@kriskowal](https://github.com/kriskowal)! - Cull underscore-prefixed internal properties (like `__createdBy`) from serialized compartment maps in archives. The compartment map validator now also ignores underscore-prefixed properties when checking for extraneous fields. - [#3173](#3173) [`acbacba`](acbacba) Thanks [@boneskull](https://github.com/boneskull)! - Fixes potential issue wherein a canonical name may be computed incorrectly. Includes performance improvements. - [#3157](#3157) [`cdb6eae`](cdb6eae) Thanks [@boneskull](https://github.com/boneskull)! - Dramatically improve performance of canonical name (shortest path) computation in `mapNodeModules()`. - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - [#3115](#3115) [`1cd1246`](1cd1246) Thanks [@boneskull](https://github.com/boneskull)! - Remove unused "error" `ModuleSourceHookModuleSource` type. - Updated dependencies \[[`e619205`](e619205), [`6ada52b`](6ada52b), [`a675d8e`](a675d8e)]: - ses@2.0.0 - @endo/module-source@1.4.1 ## @endo/eventual-send@1.5.0 ### Minor Changes - [#3172](#3172) [`f65b000`](f65b000) Thanks [@turadg](https://github.com/turadg)! - Improve `E()` type inference and publicly export method-projection helpers. - `RemoteFunctions`, `PickCallable`, and `ECallableOrMethods` now short-circuit on `any`, preventing `E(anyValue)` from collapsing to an unusable type. - `EMethods`, `EGetters`, and related helpers are now part of the public type surface, so downstream packages can name the projected shapes `E()` produces. Compile-time type changes only; no runtime behavior changes. ### Patch Changes - Updated dependencies \[]: - @endo/harden@1.1.0 ## @endo/exo@1.7.0 ### Minor Changes - [#3172](#3172) [`88bc2b9`](88bc2b9) Thanks [@turadg](https://github.com/turadg)! - Improve TypeScript inference for patterns, exo, and pass-style. These are compile-time type changes only; no runtime behavior changes. - **pass-style**: `CopyArray<T>` is now `readonly T[]` so readonly tuples (e.g. `readonly ['ibc']`) satisfy `Passable`. Backward-compatible because `T[]` still extends `readonly T[]`. - **patterns**: `M.remotable()` defaults to `any` (matching `M.promise()`), so unparameterized remotables are assignable to concrete remotable typedefs. The parameterized form `M.remotable<typeof SomeInterfaceGuard>()` still yields precise inference. - **patterns**: `TFRemotable` returns `any` (not `Payload`) for non-`InterfaceGuard` arguments. - **patterns**: `TFOr` handles array-of-patterns and falls back through `TFAnd`; `M.undefined()` maps to `void`. - **patterns**: `TFOptionalTuple` emits truly optional elements; `M.promise()` maps to `PromiseLike`. - **patterns**: `TFSplitRecord` handles the empty-rest case correctly. - **patterns**: `TFRestArgs` unwraps array patterns. - **patterns**: `TypeFromArgGuard` discriminates by `toStringTag`, not structural shape. - **patterns**: `MatcherOf` payload is preserved through `InterfaceGuard`. - **patterns**: new `CastedPattern<T>` for unchecked type assertions in pattern position. - **exo**: `defineExoClass`, `defineExoClassKit`, and `makeExo` no longer intersect facet constraints with `& Methods`. The previous constraint collapsed specific facet keys into the `string | number | symbol` index signature, making `FilteredKeys` return `never` and erasing facet method inference (`Pick<X, never> = {}`). - **exo**: `Guarded<M, G>` is now structurally compatible across `G`, and the kit `F` constraint is widened. - **exo**: `defineExoClassKit` preserves facet inference when no guard is supplied. TypeScript consumers that were working around the previous inference gaps with casts may be able to remove those casts. Downstream code that depended on the narrower `CopyArray<T> = T[]` or the previous `M.remotable()` default may need minor adjustments. - [#3133](#3133) [`9111b4e`](9111b4e) Thanks [@turadg](https://github.com/turadg)! - feat: infer TypeScript types from pattern guards - `TypeFromPattern<P>` — infer static types from any pattern matcher - `TypeFromMethodGuard<G>` — infer function signatures from `M.call()` / `M.callWhen()` guards - `TypeFromInterfaceGuard<G>` — infer method records from interface guard definitions - `M.remotable<typeof Guard>()` — facet-isolated return types in exo kits - `M.infer<typeof pattern>` — namespace shorthand analogous to `z.infer` - `matches` and `mustMatch` now narrow the specimen type via type predicates - `makeExo`, `defineExoClass`, and `defineExoClassKit` enforce method signatures against guards at compile time These are compile-time type changes only; there are no runtime behavioral changes. Existing TypeScript consumers may see new type errors where method signatures diverge from their guards. ### Patch Changes - Updated dependencies \[[`8195a5a`](8195a5a), [`98c89b7`](98c89b7), [`f65b000`](f65b000), [`88bc2b9`](88bc2b9), [`9111b4e`](9111b4e), [`43165e5`](43165e5), [`df84eea`](df84eea), [`6ada52b`](6ada52b)]: - @endo/patterns@1.9.0 - @endo/common@1.4.0 - @endo/eventual-send@1.5.0 - @endo/pass-style@1.8.0 - @endo/errors@1.3.1 - @endo/far@1.1.14 - @endo/harden@1.1.0 ## @endo/pass-style@1.8.0 ### Minor Changes - [#3172](#3172) [`88bc2b9`](88bc2b9) Thanks [@turadg](https://github.com/turadg)! - Improve TypeScript inference for patterns, exo, and pass-style. These are compile-time type changes only; no runtime behavior changes. - **pass-style**: `CopyArray<T>` is now `readonly T[]` so readonly tuples (e.g. `readonly ['ibc']`) satisfy `Passable`. Backward-compatible because `T[]` still extends `readonly T[]`. - **patterns**: `M.remotable()` defaults to `any` (matching `M.promise()`), so unparameterized remotables are assignable to concrete remotable typedefs. The parameterized form `M.remotable<typeof SomeInterfaceGuard>()` still yields precise inference. - **patterns**: `TFRemotable` returns `any` (not `Payload`) for non-`InterfaceGuard` arguments. - **patterns**: `TFOr` handles array-of-patterns and falls back through `TFAnd`; `M.undefined()` maps to `void`. - **patterns**: `TFOptionalTuple` emits truly optional elements; `M.promise()` maps to `PromiseLike`. - **patterns**: `TFSplitRecord` handles the empty-rest case correctly. - **patterns**: `TFRestArgs` unwraps array patterns. - **patterns**: `TypeFromArgGuard` discriminates by `toStringTag`, not structural shape. - **patterns**: `MatcherOf` payload is preserved through `InterfaceGuard`. - **patterns**: new `CastedPattern<T>` for unchecked type assertions in pattern position. - **exo**: `defineExoClass`, `defineExoClassKit`, and `makeExo` no longer intersect facet constraints with `& Methods`. The previous constraint collapsed specific facet keys into the `string | number | symbol` index signature, making `FilteredKeys` return `never` and erasing facet method inference (`Pick<X, never> = {}`). - **exo**: `Guarded<M, G>` is now structurally compatible across `G`, and the kit `F` constraint is widened. - **exo**: `defineExoClassKit` preserves facet inference when no guard is supplied. TypeScript consumers that were working around the previous inference gaps with casts may be able to remove those casts. Downstream code that depended on the narrower `CopyArray<T> = T[]` or the previous `M.remotable()` default may need minor adjustments. - [#3184](#3184) [`43165e5`](43165e5) Thanks [@turadg](https://github.com/turadg)! - Unblock TypeScript declaration emit in downstream packages that structurally expose `PassStyled`/`Container` types. Compile-time type changes only; no runtime behavior changes. - `PASS_STYLE` is now typed as the string-literal `'Symbol(passStyle)'` rather than `unique symbol`. The runtime value is unchanged (still `Symbol.for('passStyle')`), and computed-key indexing like `obj[PASS_STYLE]` continues to work because JS computed keys accept any value. This removes TS4023 / TS9006 errors in consumers whose inferred types structurally contain `[PASS_STYLE]` (via `PassStyled`, `ExtractStyle`, object spread of a `PassStyled`, etc.). A `unique symbol` is only nameable via its original declaration module, which consumers have no reason to import; a string-literal type has no such nameability requirement. - `CopyArrayInterface`, `CopyRecordInterface`, and `CopyTaggedInterface` are now exported, so downstream `.d.ts` emit can name them when they appear through structural expansion of `Passable`/`Container`. - The `PassStyleOf` array overload is widened from `(p: any[]) => 'copyArray'` to `(p: readonly any[]) => 'copyArray'`, so `as const` tuples and `readonly T[]` values classify as `'copyArray'`. This aligns the classifier with `CopyArray<T>`, which is already `readonly T[]`. Backward-compatible because `T[]` still extends `readonly T[]`. Obviates the `@endo/pass-style` patch that agoric-sdk has been carrying in `.yarn/patches/`. TypeScript consumers that relied on `typeof PASS_STYLE` being `unique symbol` (e.g. annotating a value as `symbol` from `PASS_STYLE`) will need minor adjustments — widen the annotation to `symbol | string`, or cast via `unknown`. ### Patch Changes - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - Updated dependencies \[[`98c89b7`](98c89b7), [`f65b000`](f65b000), [`d1d9625`](d1d9625)]: - @endo/common@1.4.0 - @endo/eventual-send@1.5.0 - @endo/promise-kit@1.2.1 - @endo/errors@1.3.1 - @endo/harden@1.1.0 ## @endo/patterns@1.9.0 ### Minor Changes - [#3067](#3067) [`8195a5a`](8195a5a) Thanks [@gibson042](https://github.com/gibson042)! - - Updates `containerHasSplit` to consider copyArray elements in forward order, better aligning with intuition. - [#3172](#3172) [`88bc2b9`](88bc2b9) Thanks [@turadg](https://github.com/turadg)! - Improve TypeScript inference for patterns, exo, and pass-style. These are compile-time type changes only; no runtime behavior changes. - **pass-style**: `CopyArray<T>` is now `readonly T[]` so readonly tuples (e.g. `readonly ['ibc']`) satisfy `Passable`. Backward-compatible because `T[]` still extends `readonly T[]`. - **patterns**: `M.remotable()` defaults to `any` (matching `M.promise()`), so unparameterized remotables are assignable to concrete remotable typedefs. The parameterized form `M.remotable<typeof SomeInterfaceGuard>()` still yields precise inference. - **patterns**: `TFRemotable` returns `any` (not `Payload`) for non-`InterfaceGuard` arguments. - **patterns**: `TFOr` handles array-of-patterns and falls back through `TFAnd`; `M.undefined()` maps to `void`. - **patterns**: `TFOptionalTuple` emits truly optional elements; `M.promise()` maps to `PromiseLike`. - **patterns**: `TFSplitRecord` handles the empty-rest case correctly. - **patterns**: `TFRestArgs` unwraps array patterns. - **patterns**: `TypeFromArgGuard` discriminates by `toStringTag`, not structural shape. - **patterns**: `MatcherOf` payload is preserved through `InterfaceGuard`. - **patterns**: new `CastedPattern<T>` for unchecked type assertions in pattern position. - **exo**: `defineExoClass`, `defineExoClassKit`, and `makeExo` no longer intersect facet constraints with `& Methods`. The previous constraint collapsed specific facet keys into the `string | number | symbol` index signature, making `FilteredKeys` return `never` and erasing facet method inference (`Pick<X, never> = {}`). - **exo**: `Guarded<M, G>` is now structurally compatible across `G`, and the kit `F` constraint is widened. - **exo**: `defineExoClassKit` preserves facet inference when no guard is supplied. TypeScript consumers that were working around the previous inference gaps with casts may be able to remove those casts. Downstream code that depended on the narrower `CopyArray<T> = T[]` or the previous `M.remotable()` default may need minor adjustments. - [#3133](#3133) [`9111b4e`](9111b4e) Thanks [@turadg](https://github.com/turadg)! - feat: infer TypeScript types from pattern guards - `TypeFromPattern<P>` — infer static types from any pattern matcher - `TypeFromMethodGuard<G>` — infer function signatures from `M.call()` / `M.callWhen()` guards - `TypeFromInterfaceGuard<G>` — infer method records from interface guard definitions - `M.remotable<typeof Guard>()` — facet-isolated return types in exo kits - `M.infer<typeof pattern>` — namespace shorthand analogous to `z.infer` - `matches` and `mustMatch` now narrow the specimen type via type predicates - `makeExo`, `defineExoClass`, and `defineExoClassKit` enforce method signatures against guards at compile time These are compile-time type changes only; there are no runtime behavioral changes. Existing TypeScript consumers may see new type errors where method signatures diverge from their guards. - [#3133](#3133) [`df84eea`](df84eea) Thanks [@turadg](https://github.com/turadg)! - Add optional `label` parameter to `M.promise()`, aligning its signature with `M.remotable(label?)`. When a label is provided, runtime error messages include it for diagnostics (e.g., "Must be a promise Foo, not remotable"). ### Patch Changes - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - Updated dependencies \[[`98c89b7`](98c89b7), [`f65b000`](f65b000), [`88bc2b9`](88bc2b9), [`e619205`](e619205), [`43165e5`](43165e5), [`6ada52b`](6ada52b)]: - @endo/common@1.4.0 - @endo/eventual-send@1.5.0 - @endo/pass-style@1.8.0 - @endo/marshal@1.9.1 - @endo/errors@1.3.1 - @endo/harden@1.1.0 ## @endo/check-bundle@1.1.1 ### Patch Changes - [#3182](#3182) [`2b674ca`](2b674ca) Thanks [@kriskowal](https://github.com/kriskowal)! - Cull underscore-prefixed internal properties (like `__createdBy`) from serialized compartment maps in archives. The compartment map validator now also ignores underscore-prefixed properties when checking for extraneous fields. - Updated dependencies \[[`154102b`](154102b), [`2b674ca`](2b674ca), [`b4820dc`](b4820dc), [`acbacba`](acbacba), [`cdb6eae`](cdb6eae), [`6ada52b`](6ada52b), [`6ad084a`](6ad084a), [`1cd1246`](1cd1246)]: - @endo/compartment-mapper@2.1.0 - @endo/errors@1.3.1 - @endo/harden@1.1.0 ## @endo/errors@1.3.1 ### Patch Changes - Updated dependencies \[[`e619205`](e619205), [`a675d8e`](a675d8e)]: - ses@2.0.0 - @endo/harden@1.1.0 ## @endo/import-bundle@1.6.1 ### Patch Changes - Updated dependencies \[[`154102b`](154102b), [`2b674ca`](2b674ca), [`b4820dc`](b4820dc), [`acbacba`](acbacba), [`e619205`](e619205), [`cdb6eae`](cdb6eae), [`6ada52b`](6ada52b), [`6ad084a`](6ad084a), [`1cd1246`](1cd1246), [`a675d8e`](a675d8e)]: - @endo/compartment-mapper@2.1.0 - ses@2.0.0 - @endo/errors@1.3.1 - @endo/harden@1.1.0 ## @endo/lockdown@1.0.19 ### Patch Changes - Updated dependencies \[[`e619205`](e619205), [`a675d8e`](a675d8e)]: - ses@2.0.0 ## @endo/lp32@1.2.1 ### Patch Changes - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - Updated dependencies \[]: - @endo/errors@1.3.1 - @endo/harden@1.1.0 - @endo/stream@1.3.1 ## @endo/marshal@1.9.1 ### Patch Changes - [#3153](#3153) [`e619205`](e619205) Thanks [@erights](https://github.com/erights)! - # Plug NaN Side-channel The JavaScript language can leak the bit encoding of a NaN via shared TypedArray views of an common ArrayBuffer. Although the JavaScript language has only one NaN value, the underlying IEEE 754 double-precision floating-point representation has many different bit patterns that represent NaN. This can be exploited as a side-channel to leak information. This actually happens on some platforms such as v8. @ChALkeR explains at <tc39/ecma262#758 (comment)> that the behavior of this side-channel on v8. At <https://junk.rray.org/poc/nani.html> he demonstrates it, and it indeed even worse than I expected. To plug this side-channel, we make two coordinated changes. - We stop listing the `Float*Array` constructors as universal globals. This prevents them from being implicitly endowed to created compartments, because they are not harmless. However, we still keep them on the start compartment (the original global), consider them intrinsics, and still repair and harden them on `lockdown()`. Thus, they can be explicitly endowed to child compartments at the price of enabling code in that compartment to read the side-channel. - On `lockdown()`, we repair the `DataView.prototype.setFloat*` methods so that they only write canonical NaNs into the underlying ArrayBuffer. The `@endo.marshal` package's `encodePassable` encodings need to obtain the bit representation of floating point values. It had used `Float64Array` for that. However, sometimes the `@endo/marshal` package is evaluated in a created compartment that would now lack that constructor. (This reevaluation typically occurs when bundling bundles in that package.) So instead, `encodePassable` now uses the `DataView` methods which are now safe. - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - Updated dependencies \[[`98c89b7`](98c89b7), [`f65b000`](f65b000), [`88bc2b9`](88bc2b9), [`43165e5`](43165e5), [`6ada52b`](6ada52b)]: - @endo/common@1.4.0 - @endo/eventual-send@1.5.0 - @endo/pass-style@1.8.0 - @endo/errors@1.3.1 - @endo/harden@1.1.0 - @endo/nat@5.2.0 ## @endo/memoize@1.2.1 ### Patch Changes - [#3107](#3107) [`05cdb5f`](05cdb5f) Thanks [@erights](https://github.com/erights)! - `@endo/memoize` no longer depends on `ses`, just `@endo/harden` - Updated dependencies \[]: - @endo/harden@1.1.0 ## @endo/module-source@1.4.1 ### Patch Changes - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - Updated dependencies \[[`e619205`](e619205), [`a675d8e`](a675d8e)]: - ses@2.0.0 ## @endo/netstring@1.1.1 ### Patch Changes - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - Updated dependencies \[[`d1d9625`](d1d9625)]: - @endo/promise-kit@1.2.1 - @endo/harden@1.1.0 - @endo/stream@1.3.1 ## @endo/promise-kit@1.2.1 ### Patch Changes - [#3108](#3108) [`d1d9625`](d1d9625) Thanks [@erights](https://github.com/erights)! - `@endo/promise-kit` no longer depends on `ses`, just `@endo/harden` - Updated dependencies \[]: - @endo/harden@1.1.0 ## @endo/ses-ava@1.4.1 ### Patch Changes - Updated dependencies \[[`e619205`](e619205), [`a675d8e`](a675d8e)]: - ses@2.0.0 - @endo/harden@1.1.0 ## @endo/stream@1.3.1 ### Patch Changes - Updated dependencies \[[`f65b000`](f65b000), [`d1d9625`](d1d9625), [`e619205`](e619205), [`a675d8e`](a675d8e)]: - @endo/eventual-send@1.5.0 - @endo/promise-kit@1.2.1 - ses@2.0.0 - @endo/harden@1.1.0 ## @endo/stream-node@1.2.1 ### Patch Changes - [#3127](#3127) [`6ada52b`](6ada52b) Thanks [@turadg](https://github.com/turadg)! - Remove stale runtime dependencies from package manifests. - Updated dependencies \[]: - @endo/errors@1.3.1 - @endo/harden@1.1.0 - @endo/stream@1.3.1 ## @endo/daemon@2.5.3 ### Patch Changes - Updated dependencies \[[`8195a5a`](8195a5a), [`154102b`](154102b), [`2b674ca`](2b674ca), [`f65b000`](f65b000), [`d1d9625`](d1d9625), [`b4820dc`](b4820dc), [`88bc2b9`](88bc2b9), [`9111b4e`](9111b4e), [`acbacba`](acbacba), [`e619205`](e619205), [`df84eea`](df84eea), [`cdb6eae`](cdb6eae), [`6ada52b`](6ada52b), [`6ad084a`](6ad084a), [`1cd1246`](1cd1246), [`a675d8e`](a675d8e)]: - @endo/patterns@1.9.0 - @endo/compartment-mapper@2.1.0 - @endo/eventual-send@1.5.0 - @endo/promise-kit@1.2.1 - @endo/exo@1.7.0 - ses@2.0.0 - @endo/marshal@1.9.1 - @endo/netstring@1.1.1 - @endo/stream-node@1.2.1 - @endo/captp@4.5.0 - @endo/errors@1.3.1 - @endo/far@1.1.14 - @endo/harden@1.1.0 - @endo/import-bundle@1.6.1 - @endo/stream@1.3.1 ## @endo/stream-types-test@1.0.19 ### Patch Changes - Updated dependencies \[[`e619205`](e619205), [`a675d8e`](a675d8e)]: - ses@2.0.0 - @endo/nat@5.2.0 - @endo/stream@1.3.1 ## @endo/test262-runner@0.1.50 ### Patch Changes - Updated dependencies \[[`154102b`](154102b), [`2b674ca`](2b674ca), [`b4820dc`](b4820dc), [`acbacba`](acbacba), [`e619205`](e619205), [`cdb6eae`](cdb6eae), [`6ada52b`](6ada52b), [`6ad084a`](6ad084a), [`1cd1246`](1cd1246), [`a675d8e`](a675d8e)]: - @endo/compartment-mapper@2.1.0 - ses@2.0.0
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
May 14, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
May 14, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
May 26, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Jun 3, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Jun 12, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Jun 13, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Jun 16, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
boneskull
added a commit
to LavaMoat/LavaMoat
that referenced
this pull request
Jun 22, 2026
When linked w/ endojs/endo#3132, reports redundant entries in a `LavaMoatPolicy.include` array--those which have already been loaded indirectly via loading of the entry compartment. - Added comprehensive unit tests for reporting functions - Fix wrong error class used when trust-root mismatch occurs in policy gen - Add missing `@internal` tags to some internal types - Add custom `WriteStream` capability to `createModuleInspectionProgressReporter()` for testing - Fix cutoff comment in `to-keypath` code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a new hook option,
_redundantPreloadHook, which is fired if and only if:_preloadarray, andCompartmenthas already had its module sources loaded indirectly via loading the entryCompartment.This better enables the caller to report the information to the end-user.
Motivation
The purpose of this is a better user experience for those consuming
@endo/compartment-mapper. If canonical names and/or relative paths are provided in the_preloadoption, and the modules as resolved would already be loaded via loading the entry module, then the presence of those item(s) in_preloadserves no purpose. The only reason to put anything in_preloadis if capturing the entry module does not load desired modules. This is typical of dynamically-required modules which crossCompartmentboundaries, since dynamically-required modules cannot be determined prior to execution.Fixes
This change also fixes two bugs:
ModuleSources for a givenCompartmentdoes not imply all preloaded modules have been loaded, as_preloadmay contain multiple entries for the same canonical name. It now checks individual entries._preloadwas incorrect; it demanded either anArray<string>or anArray<{name: string, entry: string}>, when it should be possible to mix-and-matchstringand{name: string, entry: string}in the same array.Notes
log()call incapture-lite.js's L187-L189 in lieu of the hook.capture-lite.js's L181-L191; module resolution seems like a non-starter at this point, but maybe the mapping from.to a relative path exists in scope here already?