Update SES lockdown

[EtDu]

Update to SES lockdown 0.12.4, which includes new option overrideTaming: 'severe'

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[metamaskbot]

Builds ready [9202e49]

• builds: chrome, firefox, opera
• bundle viz: background, ui, inpage, contentscript, ui-libs, bg-libs, phishing-detect
• build viz: Build System
• code coverage: Report
• storybook: Storybook
• all artifacts

Page Load Metrics (604 ± 43 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	43	85	55	11	5
		domContentLoaded	358	810	602	90	43
		load	359	811	604	90	43
		domInteractive	357	810	602	90	43

[kumavis]

since we're bundling lockdown we can remove the ses dep

[kumavis]

this will help keep develop close to where we are in the lavamoat-for-ui branches

[metamaskbot]

Builds ready [d62d37f]

• builds: chrome, firefox, opera
• bundle viz: background, ui, inpage, contentscript, ui-libs, bg-libs, phishing-detect
• build viz: Build System
• code coverage: Report
• storybook: Storybook
• all artifacts

Page Load Metrics (677 ± 27 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	45	75	56	8	4
		domContentLoaded	591	796	676	57	28
		load	596	798	677	57	27
		domInteractive	590	796	675	57	28

[Gudahtt]

Why was the lockdown script vendored, rather than imported? Where specifically did this script come from, and which version is it?

[EtDu]

Why was the lockdown script vendored, rather than imported? Where specifically did this script come from, and which version is it?

This script came from building lockdown from SES-Shim's master branch. V0.12.3+1-dev, which hasn't been published yet. We want this pre-release build because it applies a more broad override mistake workaround. (For at least all properties on Object.prototype, according to this doc) via overrideTaming: severe as a lockdown option.

[kumavis]

@Gudahtt good question. asking agoric about next version release timeline
but im all for eager adoption and frequent updates since we're actively working on this stuff 👍

[kumavis]

ses release "maybe tomorrow" 👍

[Gudahtt]

Cool - makes sense 👍

Not against including vendored dependencies, but it would be nice if some context for what the file is was included in the codebase alongside it. A pattern I've seen used before is to create a directory under vendor (e.g. app/vendor/ses/) with a README.txt alongside it explaining what the file is, why it was vendored, and how to re-create it exactly (i.e. where to find it, or how to generate it if it was generated, and which modifications to apply if any). That helps ensure we can safely update it in the future without any surprises.

As an example of where this went wrong, I've briefly considered updating app/scripts/chromereload.js in the past, only to give up because I wasn't confident enough that I understood the specific version we used, so I couldn't find corresponding changelog entries for the update I wanted to make. We've periodically forgotten what that file was altogether, and had to rediscover it by googling portions of it, or by asking you.

It sounds like we'll be updating SES pretty soon so it's likely not to be an issue here, but you never know! We could get stuck on this version if the next update introduces problems. Better safe than sorry, and a couple of lines of text should be easy enough to add anyway.

[kumavis]

hold

[metamaskbot]

Builds ready [c1f144a]

• builds: chrome, firefox, opera
• bundle viz: background, ui, inpage, contentscript, ui-libs, bg-libs, phishing-detect
• build viz: Build System
• code coverage: Report
• storybook: Storybook
• all artifacts

Page Load Metrics (599 ± 45 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	45	70	56	7	3
		domContentLoaded	403	830	598	93	45
		load	405	836	599	94	45
		domInteractive	403	829	598	93	45

[kumavis]

need to verify the ses-bug for errors in console is not affected in browser

[kumavis]

heres the ses bug in question endojs/endo#636
validated that it does not affect the browser rendering of errors (only node, this ses version is only used in the browser)

[Gudahtt]

Huh. I don't quite follow what's going on here. Is this an array class that is extending Array and redefining concat?

Could we propose this upstream? They seem to be fairly responsive maintainers.

[kumavis]

your understanding is correct. its fine for them to do that (none of my business), but the override mistake doesnt allow them to do it via assignment. thus this.
yes, we usually PR these patches upstream. but we dont let that block us so we write patches as well.

[Gudahtt]

Got it. Using a patch seems fine for now, but having that work started by creating a PR would be great. Then we could hopefully delete the patch on the next update, rather than re-write it each time. Especially for packages like this that are updated relatively frequently.

[Gudahtt]

LGTM!

I didn't test this yet, but it'll be a while before our next feature release so we'll have plenty of time to find any new SES-related breakages.