SES-shim VS esbuild

I used E in the 90s: http://erights.org/

I haven't kept up with newer systems but I've heard of https://github.com/endojs/endo and just came across http://reports-archive.adm.cs.cmu.edu/anon/home/anon/isr2017... (which says "in the style of the E programming language" -- that's as far as I've read) while looking that up.

WebAssembly was designed to follow the same capability security principles. CHERI too as someone else just brought up.

There are other potential solutions I haven’t explored close enough (like Endo and SES), or completely omitted as they’re based on an imperfect blacklist-based approach to security (like sandboxed WebWorkers). However, the mentioned 4 solutions are the top contenders, at least in my mind.

I don't know why you are being silently downvoted, as I think it is worth talking about the potential of using static analysis to improve things.

One promising approach is Endo[0] which "uses LavaMoat to automatically generate reviewable policies that determine what capabilities will be distributed to third party dependencies."

[0] https://github.com/endojs/endo

Agoric moved forward and Realms gave way to SES

https://github.com/endojs/endo/tree/master/packages/ses

And Endo is a set of tools (being) built around it to make it more practical for particular usecases

Yea you could restrict the app by whitelisting only the network services and folders that it will use and that's pretty valuable though at least on Linux could already easily be achieved otherwise. It's good that Deno makes it easy but let's be honest, most people will just pass -A.

I'd love to see a permissions system on a library basis. It would ask the first time a dependency is added and when a new permission is requested after an update. Javascript doesn't make that easy though by being so dynamic. SES could maybe help: https://github.com/endojs/endo/blob/master/packages/ses/READ...

I was poking around on the internet a bit earlier and I found this project. It looks pretty cool, and I figured perhaps a few of y'all might find it cool too!

I have no idea if it actually sandboxes networking by default. This other project, endo[0], seems to add some of that functionality.

Regardless of the maturity though, it makes me excited to see this type of work getting done now!

(What made me want to research it was this[1] thread from the other day.)

0: https://github.com/endojs/endo

1: https://news.ycombinator.com/item?id=30215212

Fortunately the problem could become more tractable if something like SES / Endo takes off:

"Endo protects program integrity both in-process and in distributed systems. SES protects local integrity, defending an application against supply chain attacks: hacks that enter through upgrades to third-party dependencies. Endo does this by encouraging the Principle of Least Authority. ... Endo uses LavaMoat to automatically generate reviewable policies that determine what capabilities will be distributed to third party dependencies."

https://github.com/endojs/endo

Yeah. JavaScript is probably the closest to being there (with things like SES[0], LavaMoat[1], etc.) but we're not quite there yet. It's just shocking that this sort of thing is as seemingly obscure as it is; it's like the whole industry has collectively thrown up their hands and said code execution is unavoidably radioactively dangerous. (While simultaneously using package managers that... well.) But it doesn't have to be!

[0] https://github.com/Agoric/ses-shim

[1] https://github.com/LavaMoat/LavaMoat

During my search for deploying Lambdas via GitHub actions, I came across a tutorial that utilized ncc for converting TypeScript and bundling. While ncc is effective, I discovered esbuild, which proved to be significantly faster and perfectly suited to my requirements.

The advent of esbuild, the native support for ES Modules in browsers, the widespread adoption of import map, the emergence of tools like Native Federation, and the Nx ecosystem all combine to forge a flexible and well-maintained Micro Frontend Architecture.

EsBuild is a relatively new, blazing-fast JavaScript bundler and minifier. It stands out for its high performance, significantly speeding up the build process in development pipelines.

Unlike Webpack, the Vite DevServer only compiles files when they are requested. It leverages ES module imports, which allow JS files to import other files without needing to bundle them together during development. When one file changes, only that file needs to be re-compiled, and the rest can remain unchanged. Project files are compiled with Rollup.js. Third-party dependencies in node_modules are pre-compiled using the ultra-fast esbuild bundler for maximum speed, and they are cached until the dependency version changes. Vite also provides a client script for hot module reloading.

Use esbuild to build the React code into a form executable on both the server and client sides.

The functions will bundle using esbuild. For that, it is required to install esbuild globally:

TSX is the newest and most improved version of our ts-node, using ESBuild to transpile TS files to JS very quickly. The most interesting part is that TSX was developed to be a complete replacement for Node, so you can actually use TSX as a TypeScript REPL, if you install it globally with npm i -g tsx, just run tsx in your terminal and you can write TSX natively. But what's even cooler is that you can load TSX for all TypeScript files using --loader tsx when you run your file. For example, let's say we have this file called index.ts:

esbuild plus Vite is out of developer preview and enabled by default, yielding 67%, 87%, 80% speed improvements for build time, hybrid build time and hybrid serve time respectively.

Bundling with esbuild

Besides Webpack, there are many other popular web bundlers available, such as Parcel, Esbuild, Rollup, and more. They all have their own unique features and strengths, and you should make your decision based on the needs and requirements of your specific project. Please refer to their official websites for details.