mirror of https://github.com/boa-dev/boa.git
Tree:
d6fc7af2a1
add-vhs-ci
benchmarks
control-flow-graph
expect-lints
feature/node_span
feature/snapshot
features
gh-readonly-queue/main/pr-2877-b0ddf5eed00a53281d67fc7d846233fc0d99ce9c
gh-readonly-queue/main/pr-3144-8e48cec73fae708420b9af88813d4870243c491a
main
nan-boxing
optimization/static-shapes
real_conformance
reduce-environment-allocations
refactor/interner
refactor/register-vm
releases/0.17
releases/0.19
semver_checks
tco
utility-crate
wasm-debugger
nightly
v0.10
v0.11
v0.12
v0.13
v0.14
v0.15
v0.16
v0.17
v0.17.1
v0.17.2
v0.17.3
v0.18
v0.19
v0.19.1
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.8.0
v0.9.0
${ noResults }
1739 Commits (d6fc7af2a161d4fba21ed3cfcdd7da4f1398e3a5)
| Author | SHA1 | Message | Date |
|---|---|---|---|
jedel1043
|
e1c2e14b6b |
Preserve ints when executing int operations (#1964)
This Pull Request fixes/closes #1962. It changes the following: - When executing arithmetic operations on `JsValue`s, try to use integer operations and fallback to `f64` operations on error. - Adds tests for serde_json conversions from integer operations. |
3 years ago |
dependabot[bot]
|
3ad9d18d74 |
Bump node-forge from 1.2.1 to 1.3.0 (#1969)
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.2.1 to 1.3.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md">node-forge's changelog</a>.</em></p> <blockquote> <h2>1.3.0 - 2022-03-17</h2> <h3>Security</h3> <ul> <li>Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (<a href="mailto:moosa-yahyazadeh@uiowa.edu">moosa-yahyazadeh@uiowa.edu</a>).</li> <li><strong>HIGH</strong>: Leniency in checking <code>digestAlgorithm</code> structure can lead to signature forgery. <ul> <li>The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see <a href="https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/">"Bleichenbacher's RSA signature forgery based on implementation error"</a> by Hal Finney.</li> <li>CVE ID: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771">CVE-2022-24771</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765">GHSA-cfm4-qjh2-4765</a></li> </ul> </li> <li><strong>HIGH</strong>: Failing to check tailing garbage bytes can lead to signature forgery. <ul> <li>The code does not check for tailing garbage bytes after decoding a <code>DigestInfo</code> ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see <a href="https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/">"Bleichenbacher's RSA signature forgery based on implementation error"</a> by Hal Finney.</li> <li>CVE ID: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772">CVE-2022-24772</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g">GHSA-x4jg-mjrx-434g</a></li> </ul> </li> <li><strong>MEDIUM</strong>: Leniency in checking type octet. <ul> <li><code>DigestInfo</code> is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.</li> <li>CVE ID: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773">CVE-2022-24773</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr">GHSA-2r2c-g63r-vccr</a></li> </ul> </li> </ul> <h3>Fixed</h3> <ul> <li>[asn1] Add fallback to pretty print invalid UTF8 data.</li> <li>[asn1] <code>fromDer</code> is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option <code>parseAllBytes</code> can disable this behavior. <ul> <li><strong>NOTE</strong>: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.</li> </ul> </li> <li>[rsa] Add and use a validator to check for proper structure of parsed ASN.1 <code>RSASSA-PKCS-v1_5</code> <code>DigestInfo</code> data. Additionally check that the hash algorithm identifier is a known value from RFC 8017 <code>PKCS1-v1-5DigestAlgorithms</code>. An invalid <code>DigestInfo</code> or algorithm identifier will now throw an error. <ul> <li><strong>NOTE</strong>: The previous lenient behavior is being changed to be more strict since it could lead to security issues with crafted inputs. It is possible that code may have to handle the errors from these stricter checks.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
|
dependabot[bot]
|
6c9e210088 |
Bump peter-evans/create-or-update-comment from 1.4.5 to 2 (#1967)
Bumps [peter-evans/create-or-update-comment](https://github.com/peter-evans/create-or-update-comment) from 1.4.5 to 2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/peter-evans/create-or-update-comment/releases">peter-evans/create-or-update-comment's releases</a>.</em></p> <blockquote> <h2>Create or Update Comment v2.0.0</h2> <h2>What's new</h2> <ul> <li>Updated runtime to Node.js 16 <ul> <li>The action now requires a minimum version of v2.285.0 for the <a href="https://github.com/actions/runner/releases/tag/v2.285.0">Actions Runner</a>.</li> <li>If using GitHub Enterprise Server, the action requires <a href="https://docs.github.com/en/enterprise-server@3.4/admin/release-notes">GHES 3.4</a> or later.</li> </ul> </li> </ul> <h2>What's Changed</h2> <ul> <li>Use double quotes to preserve adjacent spaces correctly by <a href="https://github.com/mfn"><code>@mfn</code></a> in <a href="https://github-redirect.dependabot.com/peter-evans/create-or-update-comment/pull/95">peter-evans/create-or-update-comment#95</a></li> <li>Remove workflow by <a href="https://github.com/peter-evans"><code>@peter-evans</code></a> in <a href="https://github-redirect.dependabot.com/peter-evans/create-or-update-comment/pull/101">peter-evans/create-or-update-comment#101</a></li> <li>Update runtime to node 16 by <a href="https://github.com/peter-evans"><code>@peter-evans</code></a> in <a href="https://github-redirect.dependabot.com/peter-evans/create-or-update-comment/pull/105">peter-evans/create-or-update-comment#105</a></li> <li>7 dependency updates by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> and <a href="https://github.com/dependabot"><code>@dependabot</code></a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/mfn"><code>@mfn</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/peter-evans/create-or-update-comment/pull/95">peter-evans/create-or-update-comment#95</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/peter-evans/create-or-update-comment/compare/v1.4.5...v2.0.0">https://github.com/peter-evans/create-or-update-comment/compare/v1.4.5...v2.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
|
dependabot[bot]
|
8bf1e31dc7 |
Bump peter-evans/find-comment from 1.3.0 to 2 (#1965)
Bumps [peter-evans/find-comment](https://github.com/peter-evans/find-comment) from 1.3.0 to 2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/peter-evans/find-comment/releases">peter-evans/find-comment's releases</a>.</em></p> <blockquote> <h2>Find Comment v2.0.0</h2> <h2>What's new</h2> <ul> <li>Updated runtime to Node.js 16 <ul> <li>The action now requires a minimum version of v2.285.0 for the <a href="https://github.com/actions/runner/releases/tag/v2.285.0">Actions Runner</a>.</li> <li>If using GitHub Enterprise Server, the action requires <a href="https://docs.github.com/en/enterprise-server@3.4/admin/release-notes">GHES 3.4</a> or later.</li> </ul> </li> </ul> <h2>What's Changed</h2> <ul> <li>ci: remove workflow by <a href="https://github.com/peter-evans"><code>@peter-evans</code></a> in <a href="https://github-redirect.dependabot.com/peter-evans/find-comment/pull/59">peter-evans/find-comment#59</a></li> <li>Update runtime to node 16 by <a href="https://github.com/peter-evans"><code>@peter-evans</code></a> in <a href="https://github-redirect.dependabot.com/peter-evans/find-comment/pull/62">peter-evans/find-comment#62</a></li> <li>4 dependency updates by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> and <a href="https://github.com/dependabot"><code>@dependabot</code></a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/peter-evans/find-comment/compare/v1.3.0...v2.0.0">https://github.com/peter-evans/find-comment/compare/v1.3.0...v2.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
|
dependabot[bot]
|
2d01d122a3 |
Bump actions/cache from 2.1.7 to 3 (#1966)
Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v3.0.0</h2> <ul> <li> <p>This change adds a minimum runner version(node12 -> node16), which can break users using an out-of-date/fork of the runner. This would be most commonly affecting users on GHES 3.3 or before, as those runners do not support node16 actions and they can use actions from github.com via <a href="https://docs.github.com/en/enterprise-server@3.0/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect">github connect</a> or manually copying the repo to their GHES instance.</p> </li> <li> <p>Few dependencies and cache action usage examples have also been updated.</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
Magic Panda
|
5fa16685ec |
migrated to clap 3 (#1957)
This Pull Request fixes/closes #1955. It changes the following: - changes structopt to clap |
3 years ago |
Taras Boiko
|
e73c3fd65a |
Fix panic on AST dump in JSON format (#1959)
Some of the fields in AST structs were both 1. Arrays 2. Marked as 'flatten' This is illegal per serde docs (and doesn't really make sense). The fix is to remove the attribute. See: https://serde.rs/attr-flatten.html Fixes: #1920 Co-authored-by: Taras Boiko <me@tboiko.com> |
3 years ago |
|
jedel1043
|
f25ce46a1e |
Migrate to NPM and cleanup Playground (#1951)
This Pull Request closes #1912 by migrating to a NPM based build, hopefully making it easier to contribute to the Playground. Also, reduces the number of features of the editor, since most of them were support for other languages or features that don't make sense in a playground environment. This considerably reduces the number of fetched files per page load and the total size of the playground. |
3 years ago |
Ademílson F. Tonato
|
3b4708ce2f |
docs: update README by structuring the topics (#1958)
It changes the following: - Updates (structuring) the readme to make it easier for first-time users to read the repository. |
3 years ago |
Aaron Ross
|
6498216c3f |
convert inner datetime to local in `to_date_string` (#1953)
This Pull Request fixes/closes #1942. `Date.prototype.toDateString` should return a value representing the local date. The Rust `Date` inner value represents UTC time, so it should be adjusted to local time before formatting (see equivalent conversions performed by `to_string` and `to_time_string`). To verify this is working as intended, run the test suite with your OS timezone set to `GMT+0`, then again with `GMT+10`. The test `date_proto_to_date_string` should pass for each. For me (Ubuntu via WSL), this can be done with `sudo dpkg-reconfigure tzdata`. This PR also fixes a couple other test cases that used the wrong month value (as noted at the top of the file, JS months are 0-based while `chrono` months are 1-based). |
3 years ago |
|
Aaron Ross
|
520b81ea66 |
add README for crates.io publish (#1952)
This Pull Request closes #1948. It changes the following: - set `readme` in `boa_engine` so `README.md` will be published to crates.io - remove unnecessary `exclude` field from `Cargo.toml` in all apps I was unsure whether using a path outside of the workspace root was allowed for `readme` since it [doesn't get included in the release tarball](https://github.com/rust-lang/cargo/issues/5911), but this exact path is used by [juniper](https://github.com/graphql-rust/juniper/blob/master/juniper/Cargo.toml#L13) and [seems to work there](https://crates.io/crates/juniper). I believe `cargo publish` does a bit more than just uploading the tarball, including pulling the `readme` from any arbitrary path. The default behaviour of `cargo package`/`cargo publish` if neither `exclude` or `include` is specified is to include all files from the package root, excluding - dotfiles - .gitignore'd files - subpackages (any subdirectory with a `Cargo.toml` file) - the `/target` directory There's no need to explicitly exclude files from the parent directory since they're already excluded by default. This can be verified by running `cargo package --list` inside any workspace app: ```plain $ cd boa_wasm $ cargo package --list .gitignore Cargo.toml Cargo.toml.orig src/lib.rs ``` You can read more [here](https://doc.rust-lang.org/cargo/reference/manifest.html#the-exclude-and-include-fields). |
3 years ago |
|
dependabot[bot]
|
aaa07cf826 |
Bump prettier from 2.5.1 to 2.6.0 (#1945)
Bumps [prettier](https://github.com/prettier/prettier) from 2.5.1 to 2.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/prettier/prettier/releases">prettier's releases</a>.</em></p> <blockquote> <h2>2.6.0</h2> <p>🔗 <a href="https://prettier.io/blog/2022/03/16/2.6.0.html">Release note</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md">prettier's changelog</a>.</em></p> <blockquote> <h1>2.6.0</h1> <p><a href="https://github.com/prettier/prettier/compare/2.5.1...2.6.0">diff</a></p> <p>🔗 <a href="https://prettier.io/blog/2022/03/16/2.6.0.html">Release Notes</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
raskad
|
dbfd42d0a9 |
Fix link to the playground (#1947)
Fixes the link to the playground in the Readme |
3 years ago |
|
dependabot[bot]
|
ebf2bc64cb |
Bump dyn-clone from 1.0.4 to 1.0.5 (#1946)
Bumps [dyn-clone](https://github.com/dtolnay/dyn-clone) from 1.0.4 to 1.0.5. <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
|
jedel1043
|
ebab0ecd67
|
Deploy playground to custom destination dir (#1943)
|
3 years ago |
jasonwilliams
|
8f5d9ce8b2 |
try gh-pages action
|
3 years ago |
|
jasonwilliams
|
bbd6529f65 |
remove push
|
3 years ago |
|
jasonwilliams
|
44aed97038 |
remove deps
|
3 years ago |
|
jasonwilliams
|
afe3c28202 |
comment out publish job
|
3 years ago |
|
jasonwilliams
|
199912b960 |
change order
|
3 years ago |
|
jasonwilliams
|
ea33772de6 |
move to args
|
3 years ago |
|
jasonwilliams
|
abce76c674 |
remove cd into boa_engine
|
3 years ago |
|
jasonwilliams
|
bdab5e2b98 |
add boa_engine as argument
|
3 years ago |
|
jasonwilliams
|
16f3a0bd29 |
give everything a version
|
3 years ago |
Jason Williams
|
be901735e5
|
generated changelog for 0.14 (#1882)
Co-authored-by: João Borges <rageknify@gmail.com> |
3 years ago |
Halid Odat
|
17a6c8661e |
Fix `BigInt` and `Number` comparison (#1887)
Fixes `BigInt` and `Number` comparison, and vice versa. Before we were removing the decimal point of the floating-point number which was causing cases like `0.000001 > 0n` (or `0n < 0.000001`) to fail. |
3 years ago |
|
dependabot[bot]
|
40e35f101b |
Bump test262 from `f7fb969` to `0bccacd` (#1928)
Bumps [test262](https://github.com/tc39/test262) from `f7fb969` to `0bccacd`. <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
|
dependabot[bot]
|
48f23b3c77 |
Bump monaco-editor from 0.32.1 to 0.33.0 (#1927)
Bumps [monaco-editor](https://github.com/microsoft/monaco-editor) from 0.32.1 to 0.33.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/microsoft/monaco-editor/blob/main/CHANGELOG.md">monaco-editor's changelog</a>.</em></p> <blockquote> <h2>[0.33.0]</h2> <h3>Breaking Changes</h3> <ul> <li><code>InlayHintKind.Other</code> is removed.</li> </ul> <h3>Thank you</h3> <p>Contributions to <code>monaco-editor</code>:</p> <ul> <li><a href="https://github.com/Dan1ve"><code>@Dan1ve (Daniel Veihelmann)</code></a>: Make Vite sample code Firefox compatible [PR <a href="https://github-redirect.dependabot.com/microsoft/monaco-editor/issues/2991">#2991</a>](<a href="https://github-redirect.dependabot.com/microsoft/monaco-editor/pull/2991">microsoft/monaco-editor#2991</a>)</li> <li><a href="https://github.com/philipturner"><code>@philipturner (Philip Turner)</code></a>: Add <code>@noDerivative</code> modifier to Swift [PR <a href="https://github-redirect.dependabot.com/microsoft/monaco-editor/issues/2957">#2957</a>](<a href="https://github-redirect.dependabot.com/microsoft/monaco-editor/pull/2957">microsoft/monaco-editor#2957</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/monaco-editor/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> |
3 years ago |
|
raskad
|
23711a638b |
Refresh vm docs and fix bytecode trace output (#1921)
It changes the following: - Refreshes the vm and debugging docs to represent the current state - Fix some bytecode trace output - Rename a field in the `CodeBlock` |
3 years ago |
Nikodem Rabuliński
|
9eb6a78abc |
Implement Array.from (#1831)
<!--- Thank you for contributing to Boa! Please fill out the template below, and remove or add any information as you feel neccesary. ---> This Pull Request fixes/closes #1784. There're still a few tests failing, notably: - `iter-set-elem-prop-non-writable` - we don't have generator functions implemented - `calling-from-valid-1-noStrict`, `iter-map-fn-this-non-strict` - `thisArg` in non-strict mode, when undefined, should be inherited (that's what I'm guessing, I haven't confirmed this, but strict counterparts do pass with `thisArg` being `undefined`) - `source-array-boundary`, `elements-deleted-after` - ~~Not sure yet, still investigating, but they also include thisArg, so perhaps function calling has an underlying issue?~~ Failing because `this` on the top level evaluates to an empty object instead of containing everything from the top scope Co-authored-by: HalidOdat <halidodat@gmail.com> |
3 years ago |
Iban Eguia
|
128f836680 |
Added funding information to the repository (#1871)
This will add the "Sponsor" button to the repository, which will redirect to the OpenCollective platform. |
3 years ago |
|
dependabot[bot]
|
09bfabb0b0 |
Bump git2 from 0.14.1 to 0.14.2 (#1919)
Bumps [git2](https://github.com/rust-lang/git2-rs) from 0.14.1 to 0.14.2. <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
|
raskad
|
0027f26d21 |
Use function name from identifiers in assignment expressions (#1908)
Use function name from identifiers in assignment expressions, when a function expressions does not contain a name. |
3 years ago |
|
jedel1043
|
51f75d8ccb |
Update `yarn.lock` and add `build:prod` command (#1910)
<!--- Thank you for contributing to Boa! Please fill out the template below, and remove or add any information as you feel neccesary. ---> This Pull Request makes it easier to build the Boa playground in production mode, with a new `build:prod` command. |
3 years ago |
|
raskad
|
a44be7073b |
Fix postfix increment and decrement return values (#1913)
This fixes a bug with the postfix increment and decrement. Before those operators would return the left-hand-side value, but the spec specifies they should return ToNumeric(left-had-side value). |
3 years ago |
|
dependabot[bot]
|
51ae856c83 |
Bump css-loader from 6.7.0 to 6.7.1 (#1914)
Bumps [css-loader](https://github.com/webpack-contrib/css-loader) from 6.7.0 to 6.7.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack-contrib/css-loader/releases">css-loader's releases</a>.</em></p> <blockquote> <h2>v6.7.1</h2> <h3><a href="https://github.com/webpack-contrib/css-loader/compare/v6.7.0...v6.7.1">6.7.1</a> (2022-03-08)</h3> <h3>Bug Fixes</h3> <ul> <li>defaultGetLocalIdent export (<a href="https://github-redirect.dependabot.com/webpack-contrib/css-loader/issues/1427">#1427</a>) (<a href=" |
3 years ago |
|
dependabot[bot]
|
f7920cdca8 |
Bump regex from 1.5.4 to 1.5.5 (#1915)
Bumps [regex](https://github.com/rust-lang/regex) from 1.5.4 to 1.5.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/regex/blob/master/CHANGELOG.md">regex's changelog</a>.</em></p> <blockquote> <h1>1.5.5 (2022-03-08)</h1> <p>This releases fixes a security bug in the regex compiler. This bug permits a vector for a denial-of-service attack in cases where the regex being compiled is untrusted. There are no known problems where the regex is itself trusted, including in cases of untrusted haystacks.</p> <ul> <li><a href="https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8">SECURITY #GHSA-m5pq-gvj9-9vr8</a>: Fixes a bug in the regex compiler where empty sub-expressions subverted the existing mitigations in place to enforce a size limit on compiled regexes. The Rust Security Response WG published an advisory about this: <a href="https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw">https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
Addison Crump
|
92dbba6c5d |
Prevent breaks without loop or switch from causing panics (#1860)
This PR changes the following: - Replaces a panic with a syntax error when a break is used outside of a loop or switch - Adds a test for that |
3 years ago |
|
raskad
|
7f90829f88 |
Compile StatementList after parse passes on negative tests (#1906)
This fixes an issue with 262 negative tests, that should produce a syntax errors. Currently we only parse the test code is such cases. If the parsing does not return an error, we do not compile the code further. This caused some panics. Most of them are fixed by now, the last ones will be fixed with #1860. |
3 years ago |
Jason Williams
|
44b5617d8d |
Added boa examples (#1161)
Added boa examples as per issue #446 Overtaken https://github.com/boa-dev/boa/pull/634 Somehow screwed that branch up by rebasing it and losing access pings @elasmojs This Pull Request fixes/closes #446 . Co-authored-by: Jason Williams <jase.williams@gmail.com> Co-authored-by: Iban Eguia (Razican) <razican@protonmail.ch> Co-authored-by: jasonwilliams <jase.williams@gmail.com> Co-authored-by: jedel1043 <jedel0124@gmail.com> |
3 years ago |
|
raskad
|
6ff36fb2a3 |
Implement destructing assignments for assignment expressions (#1895)
It changes the following: - Implement destructing assignments for assignment expressions |
3 years ago |
|
jedel1043
|
9f9e36c910 |
Fix try/catch/finally related bugs and add tests (#1901)
<!--- Thank you for contributing to Boa! Please fill out the template below, and remove or add any information as you feel neccesary. ---> This Pull Request fixes some bugs related to try blocks: - Fixes a panic when a finally block contained variable declarations. (Thanks to @VTCAKAVSMoACE for the report!) - Fixes a bug where try blocks in the last position of a statement list didn't return its inner last value as the result of the evaluation. - Add tests for both cases and two other common cases. - Extract and cleanup some code. |
3 years ago |
|
jedel1043
|
2a6ea9dad6 |
Deny const declarations without initializer inside for loops (#1903)
<!--- Thank you for contributing to Boa! Please fill out the template below, and remove or add any information as you feel neccesary. ---> This Pull Request fixes/closes #1897. It changes the following: - Rejects uninitialized const declarations inside the init value of a for loop statement. - Adds test for the case. |
3 years ago |
|
dependabot[bot]
|
a49b57beb7 |
Bump css-loader from 6.6.0 to 6.7.0 (#1904)
Bumps [css-loader](https://github.com/webpack-contrib/css-loader) from 6.6.0 to 6.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack-contrib/css-loader/releases">css-loader's releases</a>.</em></p> <blockquote> <h2>v6.7.0</h2> <h2><a href="https://github.com/webpack-contrib/css-loader/compare/v6.6.0...v6.7.0">6.7.0</a> (2022-03-04)</h2> <h3>Features</h3> <ul> <li>re-export defaultGetLocalIdent (<a href="https://github-redirect.dependabot.com/webpack-contrib/css-loader/issues/1423">#1423</a>) (<a href=" |
3 years ago |
|
dependabot[bot]
|
6378204052 |
Bump test262 from `18ce639` to `f7fb969` (#1905)
Bumps [test262](https://github.com/tc39/test262) from `18ce639` to `f7fb969`. <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |
|
Addison Crump
|
cc755db485 |
Continue panic fixes (#1896)
This PR changes the following: - Fixes the panics induced by incorrect continues. - Adds tests which demonstrate the various panics induced. - Actually rustfmts correctly? |
3 years ago |
|
Addison Crump
|
7fa37b50bc |
Fix unreachable panics in compile_access (#1861)
This PR changes the following: - More elegantly handles illegal access statements in compile_access - Adds a slew of previously unhandled illegal access test cases ### Caveats It is very, very likely that you will want to simply restrict unary and assignment operations in the AST. However, this prevents crashes in the meantime with a error that is just slightly less detailed than if it were implemented in AST. |
3 years ago |
|
jedel1043
|
3b53fec412 |
Extract `Intrinsics` struct from `Context` and cleanup names (#1890)
Building up to #186, this PR extracts an `Intrinsics` struct from `Context`, facilitating a lot the extraction of a `Realm` struct. Also, it adapts the `BuiltIn` trait to be useful for builtins that don't expose a global property on initialization (`Generator`, `TypedArray`, etc.) It changes the following: - Creates an `Intrinsics` struct and refactors `Context` to transfer its intrinsic related fields to `Intrinsics`. - Renames some methods and parameters to better describe their functionality. - Makes `BuiltIn::init` return `Option<JsValue>` to skip global property initialization if the builtin initialization returns `None` |
3 years ago |
|
Halid Odat
|
9c2b1114c4 |
Implement `Number.parseInt` and `Number.parseFloat` (#1894)
This PR add `Number.parseInt` and `Number.parseFloat` which according to spec are clones of the global objects `parseInt` and `parseFloat`.
It also fixes the last failing test of the `NativeError` feature with this we get 100% spec complaint `NativeError`s 🎉
It changes the following:
- Add `Number.parseInt()`
- Add `Number.parseFloat()`
- Fix length of `AggregateError`
- Fix length of `Reflect.setPrototypeOf`
|
3 years ago |
|
dependabot[bot]
|
3ec6f633db |
Bump webpack from 5.69.1 to 5.70.0 (#1892)
Bumps [webpack](https://github.com/webpack/webpack) from 5.69.1 to 5.70.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack/webpack/releases">webpack's releases</a>.</em></p> <blockquote> <h2>v5.70.0</h2> <h1>Features</h1> <ul> <li>update node.js version constraints for ESM support</li> <li>add <code>baseUri</code> to <code>entry</code> options to configure a static base uri (the base of <code>new URL()</code>)</li> <li>alphabetically sort exports in namespace objects when possible</li> <li>add <code>__webpack_exports_info__.name.canMangle</code></li> <li>add proxy support to <code>experiments.buildHttp</code></li> <li><code>import.meta.webpackContext</code> as ESM alternative to <code>require.context</code></li> <li>handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module</li> </ul> <h1>Bugfixes</h1> <ul> <li>fix problem when assigning <code>global</code> to a variable</li> <li>fix crash when using <code>experiments.outputModule</code> and <code>loaderContext.importModule</code> with multiple chunks</li> <li>avoid generating progress output before the compilation has started (ProgressPlugin)</li> <li>fix handling of non-static-ESM dependencies with using TLA and HMR in the same module</li> <li>include the asset module filename in hashing</li> <li><code>output.clean</code> will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser</li> </ul> <h1>Performance</h1> <ul> <li>fix asset caching when using the BannerPlugin</li> </ul> <h1>Developer Experience</h1> <ul> <li>improve typings</li> </ul> <h1>Contributing</h1> <ul> <li>capture caching errors when running the test suite</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
3 years ago |