Skip to content

chore: Bump ses from 1.15.0 to 2.0.0#3985

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/main/ses-2.0.0
Open

chore: Bump ses from 1.15.0 to 2.0.0#3985
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/main/ses-2.0.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026

Bumps ses from 1.15.0 to 2.0.0.

Release notes

Sourced from ses's releases.

ses@2.0.0

Major Changes

  • #3153 e619205 Thanks @​erights! - # Plug NaN Side-channel

    The JavaScript language can leak the bit encoding of a NaN via shared TypedArray views of an common ArrayBuffer. Although the JavaScript language has only one NaN value, the underlying IEEE 754 double-precision floating-point representation has many different bit patterns that represent NaN. This can be exploited as a side-channel to leak information. This actually happens on some platforms such as v8.

    @​ChALkeR explains at tc39/ecma262#758 that the behavior of this side-channel on v8. At https://junk.rray.org/poc/nani.html he demonstrates it, and it indeed even worse than I expected.

    To plug this side-channel, we make two coordinated changes.

    • We stop listing the Float*Array constructors as universal globals. This prevents them from being implicitly endowed to created compartments, because they are not harmless. However, we still keep them on the start compartment (the original global), consider them intrinsics, and still repair and harden them on lockdown(). Thus, they can be explicitly endowed to child compartments at the price of enabling code in that compartment to read the side-channel.
    • On lockdown(), we repair the DataView.prototype.setFloat* methods so that they only write canonical NaNs into the underlying ArrayBuffer.

    The @endo.marshal package's encodePassable encodings need to obtain the bit representation of floating point values. It had used Float64Array for that. However, sometimes the @endo/marshal package is evaluated in a created compartment that would now lack that constructor. (This reevaluation typically occurs when bundling bundles in that package.) So instead, encodePassable now uses the DataView methods which are now safe.

Minor Changes

  • #3129 a675d8e Thanks @​erights! - overrideTaming: 'moderate' includes overrideTaming: 'min'.

    Previously overrideTaming: 'min' correctly enabled Iterator.prototype.constructor to be overridden by assignment, but due to an oversight, overrideTaming: 'moderate' did not. Now it does.

    To make such mistakes less likely, this PR also adopts a style where all records within larger enablements triple-dot the corresponding record from a smaller enablement, if present.

Changelog

Sourced from ses's changelog.

2.0.0

Major Changes

  • #3153 e619205 Thanks @​erights! - # Plug NaN Side-channel

    The JavaScript language can leak the bit encoding of a NaN via shared TypedArray views of an common ArrayBuffer. Although the JavaScript language has only one NaN value, the underlying IEEE 754 double-precision floating-point representation has many different bit patterns that represent NaN. This can be exploited as a side-channel to leak information. This actually happens on some platforms such as v8.

    @​ChALkeR explains at tc39/ecma262#758 that the behavior of this side-channel on v8. At https://junk.rray.org/poc/nani.html he demonstrates it, and it indeed even worse than I expected.

    To plug this side-channel, we make two coordinated changes.

    • We stop listing the Float*Array constructors as universal globals. This prevents them from being implicitly endowed to created compartments, because they are not harmless. However, we still keep them on the start compartment (the original global), consider them intrinsics, and still repair and harden them on lockdown(). Thus, they can be explicitly endowed to child compartments at the price of enabling code in that compartment to read the side-channel.
    • On lockdown(), we repair the DataView.prototype.setFloat* methods so that they only write canonical NaNs into the underlying ArrayBuffer.

    The @endo.marshal package's encodePassable encodings need to obtain the bit representation of floating point values. It had used Float64Array for that. However, sometimes the @endo/marshal package is evaluated in a created compartment that would now lack that constructor. (This reevaluation typically occurs when bundling bundles in that package.) So instead, encodePassable now uses the DataView methods which are now safe.

Minor Changes

  • #3129 a675d8e Thanks @​erights! - overrideTaming: 'moderate' includes overrideTaming: 'min'.

    Previously overrideTaming: 'min' correctly enabled Iterator.prototype.constructor to be overridden by assignment, but due to an oversight, overrideTaming: 'moderate' did not. Now it does.

    To make such mistakes less likely, this PR also adopts a style where all records within larger enablements triple-dot the corresponding record from a smaller enablement, if present.

Commits
  • 17f2ad1 Version Packages
  • 725111c feat(types): ModuleSource global
  • 6dee064 test: conformance for TS 6
  • 325530d chore(deps): bump TypeScript to 6.0
  • cda3e21 test: correct actual/expected positions
  • 4916522 refactor(types): resolve exactOptionalPropertyTypes errors
  • e619205 fix(ses): plug implicit NaN side-channel (#3153)
  • a675d8e fix(ses): enablements grow monotonically (#3129)
  • fdf7d49 style: format typedoc.json
  • 81f74ed build: stop deleting workspace links in postpack
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore: Bump ses from 1.15.0 to 2.0.0
cf455c9 
Bumps [ses](https://github.com/endojs/endo/tree/HEAD/packages/ses) from 1.15.0 to 2.0.0.
- [Release notes](https://github.com/endojs/endo/releases)
- [Changelog](https://github.com/endojs/endo/blob/master/packages/ses/CHANGELOG.md)
- [Commits](https://github.com/endojs/endo/commits/ses@2.0.0/packages/ses)

---
updated-dependencies:
- dependency-name: ses
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 4, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 4, 2026 10:39
@dependabot dependabot Bot temporarily deployed to default-branch May 4, 2026 10:39 Inactive
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 4, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedses@​2.0.09210010092100

View full report

@dependabot dependabot Bot temporarily deployed to default-branch May 4, 2026 10:40 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch May 4, 2026 10:41 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch May 4, 2026 10:43 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch May 4, 2026 10:43 Inactive
@dependabot dependabot Bot deployed to default-branch May 4, 2026 10:47 Active
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants