GHSA-6pw2-5hjv-9pf7 VS DefinitelyTyped

Nice! Thanks for sharing that link. I've done a bit of digging into that project before and it's definitely a very promising idea.

It has a lot of the same pitfalls as Dyno, imo, in that it would require somebody to define a "security policy" for every module to whitelist permissions.

But, it's also something that could maybe be attacked in a similar way to how TypeScript types were "retroactively" added for existing NPM packages. Ie, packages that have never added their own type declarations (like `express`) can have their types added to DefinitelyTyped[0] and published as a separate NPM package (`@types/express`).

It works fairly well and something like `@endo-policies/express` wouldn't be crazy to add in later. Obviously it's going to be super painful, but fixing tech debt is always going to hurt.

vm2[1] is another Node project with some semi-similar goals that's worth mentioning. It's not designed to be "applied" in the same way as Endo, but it does give you a way to "sandbox" dependencies.

As a security person, I am weary to trust something like vm2 because it is much harder to "get right" than a "sandboxed-by-default" approach like Endo or Dyno. Look at this[2] CVE on vm2 from a few months ago for some evidence about _why_ this approach isn't ideal.

I'm optimistic for the future but we still have a long way to go before we get to it!

0: https://github.com/DefinitelyTyped/DefinitelyTyped

1: https://www.npmjs.com/package/vm2

2: https://github.com/advisories/GHSA-6pw2-5hjv-9pf7

Prior to React 18, it used to include an implicit children prop, making it suitable for components expected to have children. For a long time, though, the implicit children prop type has been removed according to React 18's type changes.

Additionally, because TypeScript has a well established and widely used install-base, there are already many different definition files in the wild for supporting non-TypeScript supporting projects. One of the more extensive collections of these typings lives at the DefinitelyTyped repository, which publishes the package's community typings under the package names @types/your-package-name (where your-package-name is the name of the project you're looking for typings of) that you can look for on your package manager.

View on GitHub

Firefox maintain a library for unified extension API https://github.com/mozilla/webextension-polyfill

Their type definition for HAR request isn't exported https://github.com/DefinitelyTyped/DefinitelyTyped/blob/mast...

type NumberOrString = number | string; type Status = "idle" | "loading" | "success" | "failure" // React useState, can receive a value or a function as parameter to serve as initial value. // https://github.com/DefinitelyTyped/DefinitelyTyped/blob/a03856975a17eba524739676affbf70ac4078176/types/react/v17/index.d.ts#L920 function useState(initialState: S | (() => S)): [S, Dispatch>];

The TypeScript pull request was merged, so Sebastian (who helps maintain the React type definitions) exercised new powers in this pull request to the DefinitelyTyped repository for the React type definitions. At the time of writing, this pull request is still open, but once merged and shipped the React community we will feel its benefits.

there is an open issue: https://github.com/DefinitelyTyped/DefinitelyTyped/issues/61616

Relatively infrequently. Normally, if an npm package is popular and doesn’t have its own types, there will be a community provided types declaration file available from https://github.com/DefinitelyTyped/DefinitelyTyped