profile
viewpoint
Mike Samuel mikesamuel Temper Princeton, NJ https://twitter.com/mvsamuel Programming languages and security. Previously, Google technical infrastructure.

BorisMoore/jsviews 826

Interactive data-driven views, MVVM and MVP, built on top of JsRender templates

lirantal/awesome-nodejs-security 667

Awesome Node.js Security resources

mikesamuel/attack-review-testbed 18

Make it easy to probe the strengths and weaknesses of a hardened Node.js stack

gafter/google-rfc-2445 10

A java implementation of RFC 2445 (ical) recurrence rules

mikesamuel/es5-lexer 10

An EcmaScript lexical scanner that is as correct as one can be and produces a token stream that any valid EcmaScript parser will unambiguously interpret.

mikesamuel/arity-of 4

Library that exposes max arity and other metadata for JS functions

mikesamuel/closure-maven-plugin 3

Makes it easy to build web applications by integrating closure-{compiler,stylesheets,templates} and protocol buffers using a maven plugin

mikesamuel/es6-lru-cache 3

An LRU cache implementation based on ES6 Maps

mikesamuel/code-interlingua 1

A parse-tree for a subset of Java that is useful as an intermediate language for multi-backend code generators

mikesamuel/agendas 0

TC39 meeting agendas

push eventtemper-lang/docs

Mike Samuel

commit sha 841ee926263c07e34a7dd729188efe48cb3f4cce

minor copyedits

view details

push time in a few seconds

push eventtemper-lang/docs

Mike Samuel

commit sha 588766e95facabc44830a385f79ed1ea7cf0883c

fix ascii art

view details

push time in 2 hours

issue commentopenjs-foundation/cross-project-council

Transfer openjs-foundation npm org admin rights

openjsfoundation is now an owner of openjs-foundation so should be able to demote me now.

mikesamuel

comment created time in a day

issue commentopenjs-foundation/cross-project-council

Transfer openjs-foundation npm org admin rights

Oh, did I create the wrong kind of org?

mikesamuel

comment created time in a day

issue openedopenjs-foundation/cross-project-council

Transfer openjs-foundation npm org admin rights

https://www.npmjs.com/org/openjs-foundation exists.

I hold them currently. @brianwarner has set up an alias. Once that alias can have admin rights I will transfer.

created time in a day

pull request commentopenjs-foundation/cross-project-council

doc: adding admin policy docs

Fyi, I did some link and formatting cleanup to try and fix the CI problems in https://github.com/joesepi/cross-project-council/pull/1

joesepi

comment created time in a day

push eventmikesamuel/cross-project-council

Mike Samuel

commit sha ed9aee966af735c66fdde2193a44a90ee236d17d

Cleanup links in GOVERNANCE.md This seeks to fix the Travis CI warning, and increases consistency among the links to various parts of the CPC charter and project README.

view details

push time in a day

push eventmikesamuel/cross-project-council

Mike Samuel

commit sha 4e83a39268a0125235b7cbc057044c730ccd365a

Update transfer-repo-into-org.md

view details

push time in a day

PR opened joesepi/cross-project-council

Cleanup named links

There were a number of named links at the bottom that pointed to Node.js equivalents.

Replaced inline URLs with named links, cleaned up the named links to separate them from the document text, and got rid of redundant named links.

+14 -13

0 comment

1 changed file

pr created time in a day

push eventmikesamuel/cross-project-council

Mike Samuel

commit sha a5efe595bd1dcde4cc6bbbc16bf3a815d9db7449

Cleanup named links There were a number of named links at the bottom that pointed to Node.js equivalents. Replaced inline URLs with named links, cleaned up the named links to separate them from the document text, and got rid of redundant named links.

view details

push time in a day

Pull request review commentopenjs-foundation/cross-project-council

doc: adding admin policy docs

+# OpenJS Core Working Groups++OpenJS Core Working Groups (WG) are autonomous projects created by the+[Cross Project Council (CPC)][].++Working Groups can be formed at any time but must be ratified by the CPC.+Once formed the work defined in the Working Group charter is the+responsibility of the WG rather than the CPC.++It is important that Working Groups are not formed pre-maturely. Working+Groups are not formed to *begin* a set of tasks but instead are formed+once that work is already underway and the contributors+think it would benefit from being done as an autonomous project.++If the work defined in a Working Group's charter is complete, the charter+should be revoked.++A Working Group's charter can be revoked either by consent of the Working+Group's members or by a CPC vote. Once revoked, any future work that arises+becomes the responsibility of the CPC.++## Joining a WG++To find out how to join a working group, consult the GOVERNANCE.md in+the working group's repository.++## Starting A Core Working Group++A Working Group is established by first defining a charter that can be+ratified by the CPC. A charter is a *statement of purpose*, a+*list of responsibilities* and a *list of initial membership*.++A working group needs 3 initial members. These should be individuals+already undertaking the work described in the charter.

Does the CPC need a designated point of contact?

Does /cross-project-council contain a list of working groups with points of contact?

Is that the (currently empty) section at the bottom?

joesepi

comment created time in 2 days

Pull request review commentopenjs-foundation/cross-project-council

doc: adding admin policy docs

+# OpenJS Core Working Groups++OpenJS Core Working Groups (WG) are autonomous projects created by the+[Cross Project Council (CPC)][].++Working Groups can be formed at any time but must be ratified by the CPC.+Once formed the work defined in the Working Group charter is the+responsibility of the WG rather than the CPC.++It is important that Working Groups are not formed pre-maturely. Working+Groups are not formed to *begin* a set of tasks but instead are formed+once that work is already underway and the contributors+think it would benefit from being done as an autonomous project.++If the work defined in a Working Group's charter is complete, the charter+should be revoked.++A Working Group's charter can be revoked either by consent of the Working+Group's members or by a CPC vote. Once revoked, any future work that arises+becomes the responsibility of the CPC.++## Joining a WG++To find out how to join a working group, consult the GOVERNANCE.md in+the working group's repository.++## Starting A Core Working Group++A Working Group is established by first defining a charter that can be+ratified by the CPC. A charter is a *statement of purpose*, a+*list of responsibilities* and a *list of initial membership*.++A working group needs 3 initial members. These should be individuals+already undertaking the work described in the charter.++The list of responsibilities should be specific. Once established, these+responsibilities are no longer governed by the CPC and therefore should+not be broad or subjective. The only recourse the CPC has over the working+group is to revoke the entire charter and take on the work previously+done by the working group themselves.++If the responsibilities described in the charter are currently+undertaken by another WG then the charter will additionally have to be+ratified by that WG.++You can submit the WG charter for ratification by sending+a Pull Request to this document, which adds it to the+list of current Working Groups. Once ratified the list of+members should be maintained in the Working Group's+README.++## Bootstrap Governance++Once the CPC ratifies a charter the WG inherits the following+documentation for governance, contribution, conduct and an MIT+LICENSE. The WG is free to change these documents through their own+governance process, hence the term "bootstrap."++```markdown+### *[insert WG name]* Working Group++The OpenJS *[insert WG name]* is jointly governed by a Working Group (WG)+that is responsible for high-level guidance of the project.++The WG has final authority over this project including:++* Technical direction+* Project governance and process (including this policy)+* Contribution policy+* GitHub repository hosting+* Conduct guidelines+* Maintaining the list of additional Collaborators++For the current list of WG members, see the project+[README.md](./README.md#current-project-team-members).++### Collaborators++The *[insert WG name]* GitHub repository is+maintained by the WG and additional Collaborators who are added by the+WG on an ongoing basis.++Individuals making significant and valuable contributions are made+Collaborators and given commit-access to the project. These+individuals are identified by the WG and their addition as+Collaborators is discussed during the weekly WG meeting.++_Note:_ If you make a significant contribution and are not considered+for commit-access log an issue or contact a WG member directly and it+will be brought up in the next WG meeting.++Modifications of the contents of the *[insert WG repo]* repository are made on+a collaborative basis. Anybody with a GitHub account may propose a+modification via pull request and it will be considered by the project+Collaborators. All pull requests must be reviewed and accepted by a+Collaborator with sufficient expertise who is able to take full+responsibility for the change. In the case of pull requests proposed+by an existing Collaborator, an additional Collaborator is required+for sign-off. Consensus should be sought if additional Collaborators+participate and there is disagreement around a particular+modification. See _Consensus Seeking Process_ below for further detail+on the consensus model used for governance.++Collaborators may opt to elevate significant or controversial+modifications, or modifications that have not found consensus to the+WG for discussion by assigning the ***WG-agenda*** tag to a pull+request or issue. The WG should serve as the final arbiter where+required.++For the current list of Collaborators, see the project+[README.md](./README.md#current-project-team-members).++### WG Membership++WG seats are not time-limited.  There is no fixed size of the WG.+However, the expected target is between 6 and 12, to ensure adequate+coverage of important areas of expertise, balanced with the ability to+make decisions efficiently.++There is no specific set of requirements or qualifications for WG+membership beyond these rules.++The WG may add additional members to the WG by unanimous consensus.++A WG member may be removed from the WG by voluntary resignation, or by+unanimous consensus of all other WG members.++Changes to WG membership should be posted in the agenda, and may be+suggested as any other agenda item (see "WG Meetings" below).++If an addition or removal is proposed during a meeting, and the full+WG is not in attendance to participate, then the addition or removal+is added to the agenda for the subsequent meeting.  This is to ensure+that all members are given the opportunity to participate in all+membership decisions.  If a WG member is unable to attend a meeting+where a planned membership decision is being made, then their consent+is assumed.++No more than 1/3 of the WG members may be affiliated with the same+employer.  If removal or resignation of a WG member, or a change of+employment by a WG member, creates a situation where more than 1/3 of+the WG membership shares an employer, then the situation must be+immediately remedied by the resignation or removal of one or more WG+members affiliated with the over-represented employer(s).++### WG Meetings++The WG meets weekly on a Zoom Webinar. A designated moderator+approved by the WG runs the meeting. Each meeting should be+published to YouTube.++Items are added to the WG agenda that are considered contentious or+are modifications of governance, contribution policy, WG membership,+or release process.++The intention of the agenda is not to approve or review all patches;+that should happen continuously on GitHub and be handled by the larger+group of Collaborators.++Any community member or contributor can ask that something be added to+the next meeting's agenda by logging a GitHub Issue. Any Collaborator,+WG member or the moderator can add the item to the agenda by adding+the ***WG-agenda*** tag to the issue.++Prior to each WG meeting the moderator will share the Agenda with+members of the WG. WG members can add any items they like to the+agenda at the beginning of each meeting. The moderator and the WG+cannot veto or remove items.++The WG may invite persons or representatives from certain projects to+participate in a non-voting capacity.++The moderator is responsible for summarizing the discussion of each+agenda item and sends it as a pull request after the meeting.++### Consensus Seeking Process++The WG follows a [Consensus Seeking][] decision-making model.++When an agenda item has appeared to reach a consensus the moderator+will ask "Does anyone object?" as a final call for dissent from the+consensus.++If an agenda item cannot reach a consensus a WG member can call for+either a closing vote or a vote to table the issue to the next+meeting. The call for a vote must be seconded by a majority of the WG+or else the discussion will continue. Simple majority wins.++Note that changes to WG membership require unanimous consensus.  See+"WG Membership" above.++<a id="developers-certificate-of-origin"></a>+## Developer's Certificate of Origin 1.1++*Note*: The DCO is mandatory for all OpenJS Foundation projects.++By making a contribution to this project, I certify that:++* (a) The contribution was created in whole or in part by me and I+  have the right to submit it under the open source license+  indicated in the file; or++* (b) The contribution is based upon previous work that, to the best+  of my knowledge, is covered under an appropriate open source+  license and I have the right under that license to submit that+  work with modifications, whether created in whole or in part+  by me, under the same open source license (unless I am+  permitted to submit under a different license), as indicated+  in the file; or++* (c) The contribution was provided directly to me by some other+  person who certified (a), (b) or (c) and I have not modified+  it.++* (d) I understand and agree that this project and the contribution+  are public and that a record of the contribution (including all+  personal information I submit with it, including my sign-off) is+  maintained indefinitely and may be redistributed consistent with+  this project or the open source license(s) involved.++### Moderation Policy++The [OpenJS Moderation Policy] applies to this WG.++### Code of Conduct++The [OpenJS Code of Conduct][] applies to this WG.++[OpenJS Code of Conduct]: https://github.com/openjs-foundation/cross-project-council/blob/master/CODE_OF_CONDUCT.md+[OpenJS Moderation Policy]: https://github.com/openjs-foundation/cross-project-council/blob/master/Moderation-Policy.md+```+++## Current Working Groups

s/Current/Active/?

joesepi

comment created time in 2 days

Pull request review commentopenjs-foundation/cross-project-council

doc: adding admin policy docs

+# OpenJS Core Working Groups++OpenJS Core Working Groups (WG) are autonomous projects created by the+[Cross Project Council (CPC)][].++Working Groups can be formed at any time but must be ratified by the CPC.+Once formed the work defined in the Working Group charter is the+responsibility of the WG rather than the CPC.++It is important that Working Groups are not formed pre-maturely. Working+Groups are not formed to *begin* a set of tasks but instead are formed+once that work is already underway and the contributors+think it would benefit from being done as an autonomous project.++If the work defined in a Working Group's charter is complete, the charter+should be revoked.++A Working Group's charter can be revoked either by consent of the Working+Group's members or by a CPC vote. Once revoked, any future work that arises+becomes the responsibility of the CPC.

On revocation, should Github projects related to the WG's work be archived unless WG members request otherwise and the CPC agrees?

It seems that doing so by default might help keep the organization project list manageable.

joesepi

comment created time in 2 days

Pull request review commentopenjs-foundation/cross-project-council

doc: adding admin policy docs

+# OpenJS GitHub Organization Management Policy++The OpenJS Foundation GitHub Organization (https://github.com/openjs-foundation) is+provided as a development resource by the OpenJS Foundation under the direction+of the OpenJS Cross Project Council (CPC).++## OpenJS Admin Repository++The [OpenJS admin repository][openjs-foundation/admin] serves as the+central location for managing OpenJS GitHub Organization administrative+activities. Only OpenJS GitHub Organization owners, CPC members have write+permissions to the OpenJS admin repository.++## Organization Roles++### Owners++Whether to grant Owner permissions is determined by optimizing+for the following conflicting requirements:++* Limiting access to reduce risk+* Enabling individuals to move community work forward without undue delay++When possible, automation and tools should be used to reduce the breadth of+access that needs to be provided in order to enable individuals to move+community work forward. As these tools are created, the groups to which+Owner permissions are granted will be reduced.++The following groups are granted Ownership permissions:++* CPC members++### Members++GitHub users are added as members to the OpenJS GitHub Organization when they+are added to any Working Group or team. Organization Owners should add new+members to the organization when requested by a Working Group or team.++## Repositories++Any repository created under the OpenJS GitHub Organization is considered to be+a project under the ownership of the OpenJS Foundation, and thereby subject+to the Intellectual Property and Governance policies of the Foundation.++Any organization member may request the management of repositories within the+OpenJS Foundation GitHub Organization by opening an issue in the+[OpenJS admin repository][openjs-foundation/admin]. The actions requested could be:++- Creating a new repository+- Deleting an existing repository+- Archiving an existing repository+- Transferring a repository into or out of the organization++Provided there are no objections from any CPC members raised in+the issue, such requests are approved automatically after 72 hours. If any+objection is made, the request may be moved to a vote by the CPC. If the CPC+rejects the request, then the request is denied.++In certain cases, OpenJS Foundation Board of Directors approval may also be+required.++### Teams++When making a request to create a new repository, specify the team(s) that will+have write or admin access. If there is not an appropriate team to maintain a+new repository, request a new team. Approval is automatic if there are no+objections from CPC after 72 hours.++## Removing or Blocking Individuals++Only OpenJS GitHub Organization owners may remove an individual from the+OpenJS Foundation membership or block individuals. This is due largely to+limitations in the way GitHub permissions are structured.++To remove any current member from the GitHub organization, an issue must be+opened in the OpenJS admin repository. If, after 72 hours, there are no+objections from any CPC members, removal becomes+automatic. If there are objections, then a simple majority vote of the+Cross Project Council in favor of removal are required.

s/are/is/

joesepi

comment created time in 2 days

issue commentopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2020-02-25

https://zoom.us/j/599005386 is the proper meeting link

mhdawson

comment created time in 2 days

push eventmikesamuel/package-maintenance

Mike Samuel

commit sha 9197e79b66c04d889b820a7e0d3ddd3b99328c0a

Add advice on keeping vulns off public issue tracker

view details

push time in 20 days

push eventOWASP/java-html-sanitizer

Mike Samuel

commit sha 9d3261e58e67a6251005e0910a0c1c7813585d80

Make it easy to copy past HTML code block.

view details

push time in 20 days

fork mikesamuel/package-maintenance

Repository for work for discussion of helping with maintenance of key packages in the ecosystem.

fork in 20 days

push eventtemper-lang/docs

Mike Samuel

commit sha 3ec0fb581e8fc7cc30ea06899cec968a66a86fd5

rewrite to introduce simple value requirements gently

view details

push time in 23 days

push eventtemper-lang/docs

Mike Samuel

commit sha 27245f9a88084479d0c38c22a7ab0be1fec35e72

update patterning to use latest JS code from Kotlin QueryBuilder

view details

push time in 23 days

issue commentOWASP/java-html-sanitizer

HTML encoding of normalized URLs

How is encoding of '&' affecting actual HTML?

Since the URL is normalized, what's the motivation to add additional encoding? Is it still security relevant?

It's security and correctness relevant.

The URL ?a&amp; needs to be HTML encoded or the browser will misinterpreted.

The URL <code>/"onclick=alert`1`</code> needs to be HTML encoded or the double quote would be interpreted as part of an attribute boundary.

xfh

comment created time in a month

issue commentOWASP/java-html-sanitizer

Error adding depency in sbt from Maven Central (insecure dependencies via http)

Glad you figured it out. Thanks for closing.

phwiget

comment created time in a month

issue commentopenjs-foundation/standards

Chartering the standards team

As discussed in meeting, we can capture ideas in this shared doc.

Link allows edit, but if it's abused, I can tighten down perms.

MylesBorins

comment created time in a month

issue commentisaacs/github

GH pages does not serve /.well-known directory (per RFC 5785)

@EdOverflow, thanks. That's more elegant than turning off jekyll entirely.

And thanks for your work on security.txt.

mikesamuel

comment created time in 2 months

issue closedOWASP/json-sanitizer

pound symbol is eliminating the closing brackets

I have response object with a description field. when there is a pound symbol in the description, its eliminating the equal number of characters from the response ending. Due to this closing curly braces are being removed, thus causing distorted json structure. This is happening when we are using json-sanitizer 1.1 jar.

Any suggestions to avoid this?

closed time in 2 months

baswashekarbattula

push eventOWASP/json-sanitizer

Jeremy Landis

commit sha 305b0f235a831391b736c03eaefbd42b104c10ec

Update all plugins, correct javadocs, cleanup Travis Build Setup, and support openjdk13 builds (#17) * [ci] Cleanup travis setup - Removed sudo 'false' as it is obsolete and no longer considered - Removed distro 'trusty' as it is legacy setup and unnecessary - Removed commented out openjdk6 as it is not supported anyway - Removed openjdk7 as it is no longer supported - Replaced 'oracle' with 'open' on all jdks as licensing restrictions means it's no longer supported on newer builds. - Removed oraclejdk9 as it is no longer supported - Added openjdk13 * [pom] Update all the plugins * [ci] Remove javadoc skip as unnecessary * [ci] Remove gpg skip as those only run under release plugin per profile * [pom] Remove 'source' attribute from javadoc as not necessary The code base doesn't target 8 itself so setting this is not a good choice at the moment. * [pom] Add profile to bump compiler for jdk higher than 11 * [ci] Remove all special overrides on travis as unnecessary now * [javadoc] Correct header usage h2 is after h1 not h3 If further adjustment is needed, add font usage as necessary. This is a hard break on jdk 13 as ```[ERROR] Exit code: 1 - /home/travis/build/hazendaz/json-sanitizer/src/main/java/com/google/json/JsonSanitizer.java:31: error: heading used out of sequence: <H3>, compared to implicit preceding heading: <H1>```

view details

push time in 2 months

issue commentopenjs-foundation/standards

Audit membership list

Chiming 🎐

MylesBorins

comment created time in 2 months

delete branch openjs-foundation/standards

delete branch : onboarding-copyedits

delete time in 2 months

push eventopenjs-foundation/standards

Mike Samuel

commit sha 79fb4cc2354010862507034d0c547e8deae7b07b

Copyedit of verbiage re conflicts of interest

view details

Mike Samuel

commit sha 7982ca751ad6050b46d3d56a995b02f7e29392c0

Update onboarding.md Co-Authored-By: Jordan Harband <ljharb@gmail.com>

view details

Mike Samuel

commit sha 28bb259dc853680f0884a365325ee905d66d5711

Update onboarding.md Co-Authored-By: Jordan Harband <ljharb@gmail.com>

view details

Mike Samuel

commit sha ce3f378f33b9ca86294a8f9f5b9b0ba30cc03934

Merge pull request #51 from openjs-foundation/onboarding-copyedits Copyedit of verbiage re conflicts of interest

view details

push time in 2 months

pull request commentgoogle/node-sec-roadmap

Fix link to hydra worm disclosure document

Sorry, for some reason I didn't notice this when it went past. But it floated up when you closed it. Will try to find a better way to link that.

MarcinHoppe

comment created time in 2 months

push eventopenjs-foundation/standards

Mike Samuel

commit sha 28bb259dc853680f0884a365325ee905d66d5711

Update onboarding.md Co-Authored-By: Jordan Harband <ljharb@gmail.com>

view details

push time in 2 months

push eventopenjs-foundation/standards

Mike Samuel

commit sha 7982ca751ad6050b46d3d56a995b02f7e29392c0

Update onboarding.md Co-Authored-By: Jordan Harband <ljharb@gmail.com>

view details

push time in 2 months

Pull request review commentopenjs-foundation/standards

[Initial draft] Defining and documenting the on-boarding process

+# Onboarding++All participants in the OpenJS Foundation projects and groups must follow the [Code of Conduct](https://github.com/openjs-foundation/cross-project-council/blob/master/CODE_OF_CONDUCT.md).+There are further expectations for members who represent the Standards Working Group (hereby called representatives).++It is understood that representatives will be a part of individual or their company specific projects. But while representing+the Standards Working Group, they should take decisions/discuss/promote in the interest of Standards Group. 

interest of the Standards Group

Does the standards group have interests separate from those of foundation-supported projects?

sendilkumarn

comment created time in 2 months

Pull request review commentopenjs-foundation/standards

[Initial draft] Defining and documenting the on-boarding process

+# Onboarding++All participants in the OpenJS Foundation projects and groups must follow the [Code of Conduct](https://github.com/openjs-foundation/cross-project-council/blob/master/CODE_OF_CONDUCT.md).+There are further expectations for members who represent the Standards Working Group (hereby called representatives).++It is understood that representatives will be a part of individual or their company specific projects. But while representing+the Standards Working Group, they should take decisions/discuss/promote in the interest of Standards Group. ++If there is a conflict (due to personal or company specific projects), then the representative should be explicit +about the hat they are wearing while deciding/discussing/promoting the project.++Since many members are often a part of one or more projects in the foundation, feel free to discuss it with the members +if there is a potential conflict while representing. The representative can either raise an issue and discuss them during +the Standards Team meeting.++If a representative has an objection or dissent they should express it as early as possible to ensure +there is ample time to discuss and reach consensus before representing Standards Working Group.++Representatives must also conduct themselves in a professional and respectful manner. Some general guidelines include:++* When in doubt always wear the least possible hat.+* Aim to remediate first and then discuss. If other members of the team express concerns about actions, acknowledge their concerns by stopping the actions in question and then discuss within the team to come to a common agreement.+* Treat all community members with respect, consideration, and highest standards of ethical conduct.+* Build trust by keeping your promises.+* Be the model of accountability and leadership. Provide the example of ownership and stewardship that everyone can follow to success.+* Commit to ongoing development and learning best practices for governing.

Is their a primer for these best practices that you've found useful?

sendilkumarn

comment created time in 2 months

Pull request review commentopenjs-foundation/standards

[Initial draft] Defining and documenting the on-boarding process

+# Onboarding++All participants in the OpenJS Foundation projects and groups must follow the [Code of Conduct](https://github.com/openjs-foundation/cross-project-council/blob/master/CODE_OF_CONDUCT.md).+There are further expectations for members who represent the Standards Working Group (hereby called representatives).++It is understood that representatives will be a part of individual or their company specific projects. But while representing+the Standards Working Group, they should take decisions/discuss/promote in the interest of Standards Group. ++If there is a conflict (due to personal or company specific projects), then the representative should be explicit +about the hat they are wearing while deciding/discussing/promoting the project.++Since many members are often a part of one or more projects in the foundation, feel free to discuss it with the members +if there is a potential conflict while representing. The representative can either raise an issue and discuss them during +the Standards Team meeting.++If a representative has an objection or dissent they should express it as early as possible to ensure +there is ample time to discuss and reach consensus before representing Standards Working Group.++Representatives must also conduct themselves in a professional and respectful manner. Some general guidelines include:++* When in doubt always wear the least possible hat.

Is the intent here to convey that you should try to represent the interests of a few parties rather than trying to yourself synthesize the needs of non-foundation projects with those of foundation projects?

sendilkumarn

comment created time in 2 months

Pull request review commentopenjs-foundation/standards

[Initial draft] Defining and documenting the on-boarding process

+# Onboarding++All participants in the OpenJS Foundation projects and groups must follow the [Code of Conduct](https://github.com/openjs-foundation/cross-project-council/blob/master/CODE_OF_CONDUCT.md).+There are further expectations for members who represent the Standards Working Group (hereby called representatives).++It is understood that representatives will be a part of individual or their company specific projects. But while representing+the Standards Working Group, they should take decisions/discuss/promote in the interest of Standards Group. ++If there is a conflict (due to personal or company specific projects), then the representative should be explicit +about the hat they are wearing while deciding/discussing/promoting the project.++Since many members are often a part of one or more projects in the foundation, feel free to discuss it with the members +if there is a potential conflict while representing. The representative can either raise an issue and discuss them during +the Standards Team meeting.++If a representative has an objection or dissent they should express it as early as possible to ensure +there is ample time to discuss and reach consensus before representing Standards Working Group.++Representatives must also conduct themselves in a professional and respectful manner. Some general guidelines include:++* When in doubt always wear the least possible hat.+* Aim to remediate first and then discuss. If other members of the team express concerns about actions, acknowledge their concerns by stopping the actions in question and then discuss within the team to come to a common agreement.+* Treat all community members with respect, consideration, and highest standards of ethical conduct.

How much of this is covered by the code of conduct?

sendilkumarn

comment created time in 2 months

pull request commentopenjs-foundation/standards

[Initial draft] Defining and documenting the on-boarding process

Some copyedits in PR #51

sendilkumarn

comment created time in 2 months

create barnchopenjs-foundation/standards

branch : onboarding-copyedits

created branch time in 2 months

issue closedOWASP/java-html-sanitizer

Sanitizer stripping the 'id' attribute

When we are trying to sanitize the below html string, the sanitizer is stripping the 'id' attribute and adding it to the discardedAttributesMap and isValidHtmlString returns false.

htmlString: <p id="scot1">test<br></p>

private static final PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS).and(Sanitizers.BLOCKS).and(Sanitizers.STYLES);

private boolean isValidHtmlString(String htmlString) {
        CVHtmlChangeListener cvHtmlChangeListener = new CVHtmlChangeListener();
        String safeHtmlValue = policy.sanitize(htmlString, cvHtmlChangeListener, cvHtmlChangeListener);
        if(!cvHtmlChangeListener.getDiscardedTagsList().isEmpty() || !cvHtmlChangeListener.getDiscardedAttributesMap().isEmpty() || safeHtmlValue.isEmpty()) {
            return false;
        }
        return true;
    }

public class CVHtmlChangeListener implements HtmlChangeListener {
    private List<String> discardedTagsList;
    private Map<String, List<String>> discardedAttributesMap;

    CVHtmlChangeListener(){
        discardedTagsList = new ArrayList<>();
        discardedAttributesMap = new HashMap<>();
    }

    public List<String> getDiscardedTagsList() {
        return discardedTagsList;
    }

    public Map<String, List<String>> getDiscardedAttributesMap() {
        return discardedAttributesMap;
    }

    @Override
    public void discardedTag(@Nullable Object context, String elementName) {
        if(context != null){
            discardedTagsList.add(elementName);
        }
    }

    @Override
    public void discardedAttributes(@Nullable Object context, String tagName, String... attributeNames) {
        if(context != null){
            List<String> attributesList = new ArrayList<>(attributeNames.length);
            for (String attribute:attributeNames) {
                attributesList.add(attribute);
            }
            discardedAttributesMap.put(tagName, attributesList);
        }
    }

Question 1: We would like to understand/know why 'id' tag is stripped from the above html string? Question 2: For now as a workaround we have updated our policy as below:

private static final PolicyFactory policyForAttributes = new HtmlPolicyBuilder().allowCommonBlockElements().allowCommonInlineFormattingElements().allowAttributes("id").globally().toFactory();
    private static final PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS).and(Sanitizers.BLOCKS).and(Sanitizers.STYLES).and(policyForAttributes);

But this solves for only 1 attribute. Is there a list of allowed attributes? so that we create a whitelist of allowed attributes to build our own policy?

closed time in 2 months

ManoharMS

issue commentOWASP/java-html-sanitizer

Sanitizer stripping the 'id' attribute

private static final PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS).and(Sanitizers.BLOCKS).and(Sanitizers.STYLES);

Question 1: We would like to understand/know why 'id' tag is stripped from the above html string?

The sanitizer API requires you to explicitly allow something. Nothing in the above allows the id attribute. The javadoc for HtmlPolicyBuilder notes:

Rules of thumb

  • Everything is denied by default. There are disallow… methods, but those reverse allows instead of rolling back overly permissive defaults.
  • ...

But this solves for only 1 attribute. Is there a list of allowed attributes? so that we create a whitelist of allowed attributes to build our own policy?

Yes. You can allow multiple attributes as in

private static final PolicyFactory policyForAttributes = new HtmlPolicyBuilder()
    .allowCommonBlockElements()
    .allowCommonInlineFormattingElements()
    .allowAttributes("id").globally()
    .allowAttributes("class").globally()
    .toFactory();

or you can pass multiple attribute names to a single .allowAttributes(...) call as in

private static final PolicyFactory policyForAttributes = new HtmlPolicyBuilder()
    .allowCommonBlockElements()
    .allowCommonInlineFormattingElements()
    .allowAttributes("id", "class").globally()
    .toFactory();

The javadoc for allowAttribute explains how it works in more detail.

ManoharMS

comment created time in 2 months

push eventmikesamuel/cross-project-council

Mike Samuel

commit sha 9791f131daf2e44a6df3b5d2490145b8b7b6fa40

Update PROJECT_PROGRESSION.md Co-Authored-By: Tobie Langel <tobie@unlockopen.com>

view details

push time in 2 months

push eventmikesamuel/cross-project-council

Mike Samuel

commit sha e596b51bc0f4b9fcba77d494deeb3a29c582b0d1

Properly capitalize "GitHub" Co-Authored-By: Antón Molleda <molant@users.noreply.github.com>

view details

push time in 2 months

issue commenttc39/dynamic-import-host-adjustment

Chat about dynamic import guards, asset references, and caching complications

@ljharb Thanks for explaining. Attending remotely, I have a hard time telling whether I'm only getting questions from the usual suspects because everyone else feels similarly or has checked out. @engelsdamien suggested a TT-background preso for next meeting. I'll see that it directly addresses how the branding enables the claims we think important.

mikesamuel

comment created time in 2 months

issue commenttc39/dynamic-import-host-adjustment

Chat about dynamic import guards, asset references, and caching complications

Sorry for my crap network connection. Thanks for bearing with me.

I'm sure I missed a lot, but to capture some points discussed:

  • ISE/TT doesn't need or want to change the kinds of keys used for internal caches. My intent was to allow in order
    1. the host to check the brand of the argument to import(...) and control/post-process its conversion to a string
    2. as before, resolution, cache checking and network / file system stuff happens
  • TT has a concept of default policies which is why the brand checks are not entirely separable from the stringification.
  • Node.js resolution involves a lot of fstat-ing so not all hosts have this clean separation. @bmeck Are you concerned about opening the door to more entangling? @bmeck pointed out some language related to (loading module, module reference) pairs, and the spec explicitly allowing different module resolution for the same "absolute reference."
  • It's not my intent to introduce any concept of absolute module reference to ecma262.

@ljharb You were saying something about my not having gotten committee-wide signoff on the appropriateness of brand checks for something related to this proposal. I didn't catch that. What was that case that I need to make?

mikesamuel

comment created time in 2 months

Pull request review commentopenjs-foundation/cross-project-council

Clarify that champion duties extend through incubation.

 This is an informational checklist to help projects onboard into the OpenJS Foun - [ ] If choosing to use a Contributor License Agreement (CLA) or Developer Certificate of Origin (DCO), make selection and implement appropriate tool - [ ] Add or Update Governance.md document (required for Impact stage) - [ ] Confirm required files in place (CODE_OF_CONDUCT.md, LICENSE.md)-- [ ] Project Charter is published on website or github+- [ ] Publish Project Charter on website or github - [ ] Update legal copyright notice on project website and github

Do the dashes lineup with this change?

mikesamuel

comment created time in 2 months

push eventmikesamuel/cross-project-council

Mike Samuel

commit sha 56c3ab3f30f76428ef849d8effe092d087bfd39b

Update PROJECT_PROGRESSION.md Co-Authored-By: Antón Molleda <molant@users.noreply.github.com>

view details

push time in 2 months

pull request commentgoogle/node-sec-roadmap

Fix link to hydra worm disclosure document

Thanks much. Is vince-uploaded a suborigin you control?

MarcinHoppe

comment created time in 2 months

pull request commentopenjs-foundation/standards

membership: add mikesamuel

Per issue #41

mikesamuel

comment created time in 2 months

create barnchopenjs-foundation/standards

branch : membership-mikesamuel

created branch time in 2 months

Pull request review commentopenjs-foundation/cross-project-council

Clarify that champion duties extend through incubation.

 This is an informational checklist to help projects onboard into the OpenJS Foun - [ ] If choosing to use a Contributor License Agreement (CLA) or Developer Certificate of Origin (DCO), make selection and implement appropriate tool - [ ] Add or Update Governance.md document (required for Impact stage) - [ ] Confirm required files in place (CODE_OF_CONDUCT.md, LICENSE.md)-- [ ] Project Charter is published on website or github+- [ ] Publish Project Charter on website or github - [ ] Update legal copyright notice on project website and github - [ ] Add OpenJS Foundation logo to project website - [ ] Add Project logo to OpenJS Foundation website; update PROJECTS.md file - [ ] Transfer logomark to the OpenJS Foundation - [ ] If project is using crowdfunding platforms, add disclaimer to platforms - [ ] Identify individuals from the project to join the CPC-- [ ] Document project and foundation contacts for:+- [ ] The champion remains the main point of contact with the CPC, but also document project and foundation contacts for:

So rollback the change to the onboarding checklist?

mikesamuel

comment created time in 2 months

issue commenttc39/dynamic-import-host-adjustment

Chat about dynamic import guards, asset references, and caching complications

Time is Thursday, December 19

  • 3:00 – 4:00pm US ET
  • 12:00 - 1:00pm US PT

via hangouts

If anyone else wants to join, respond here.

Will try to record.

mikesamuel

comment created time in 2 months

Pull request review commentopenjs-foundation/standards

membership: add myles

 The purpose of this repository is to provide a central coordination and document Interested parties can also [join our #standards channel](https://communityinviter.com/apps/js-foundation/join-openjs-foundation-on-slack) on Slack.   For historical documents about our standards work as the jQuery Foundation and JS Foundation, please see this [repository](https://github.com/JSFoundation/standards).++## Team Members++<!-- ncu-team-sync.team(openjs-foundation/standards) -->+- [@MylesBorins](https://github.com/MylesBorins) Myles Borins

+1 fwiw

MylesBorins

comment created time in 2 months

Pull request review commentopenjs-foundation/standards

update standards calendar of events for remaining 2019 and known 2020

+# 2019 Calendar of Standards Meetings++This list is not exhaustive - it reflects meetings we may or may not be interested in sending an OpenJS Foundation representative to on our behalf.++## 2019++| Date     | Event | Location | SDO | +|----------|-------|----------|-----|+| 06.18-19 | TC53 In-person Meeting | Bay Area, CA | Ecma |+| 06.26-27 | Ecma International General Assembly Meeting | Geneva | Ecma |+| 07.23-25 | TC39 Plenary Meeting | Redmond | Ecma |+| 09.16-20 | TPAC 2019 | Japan | W3C |+| 09.18    | TC53 Meeting | Teleconference | Ecma | +| 10.01-03 | TC39 Plenary Meeting | NYC | Ecma |+| 10.29-30 | TC53 Plenary Meeting | Boston | Ecma |+| 11.20    | TC53 Meeting | Teleconference | Ecma |+| 12.03-05 | TC39 Plenary Meeting | Bay Area, CA | Ecma |+| 12.10-11 | Ecma International General Assembly Meeting | Tokyo | Ecma |+| 12.11    | TC53 Plenary Meeting | Tokyo | Ecma |++## 2020++| Date     | Event | Location | SDO | +|----------|-------|----------|-----|+| 02.04-06 | TC39 Plenary Meeting | University of Honolulu / JSConfHI | Ecma |+| 03.31-04.02 | TC39 Plenary Meeting | Cupertino, CA | Ecma |+| 05.17-19 | AC 2020 | Seoul | W3C |+| 06.02-04 | TC39 Plenary Meeting | Chicago | Ecma |+| 06.17-18 | Ecma International General Assembly Meeting | Geneva | Ecma |+| 07.21-23 | TC39 Plenary Meeting | Seattle | Ecma |+| 09.22-24 | TC39 Plenary Meeting | Tokyo | Ecma |+| 10.26-30 | TPAC 2020 | Vancouver | W3C |+| 11.17-19 | TC39 Plenary Meeting | TBD | Ecma |+| 12.09-10 | Ecma International General Assembly Meeting | TBD North America | Ecma |

Done in https://github.com/openjs-foundation/standards/pull/28/commits/a40a095983e59554bb0cc994be8bbf816fc3331a

jorydotcom

comment created time in 2 months

push eventopenjs-foundation/standards

Mike Samuel

commit sha a40a095983e59554bb0cc994be8bbf816fc3331a

add CSS-WG-F2F events to 2020 calendar Per [@bkardell's comment](https://github.com/openjs-foundation/standards/pull/28#pullrequestreview-298163347)

view details

push time in 2 months

issue closedopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2019-12-03

Time

UTC Tue 03-Dec-2019 19:00 (07:00 PM):

Timezone Date/Time
US / Pacific Tue 03-Dec-2019 11:00 (11:00 AM)
US / Mountain Tue 03-Dec-2019 12:00 (12:00 PM)
US / Central Tue 03-Dec-2019 13:00 (01:00 PM)
US / Eastern Tue 03-Dec-2019 14:00 (02:00 PM)
London Tue 03-Dec-2019 19:00 (07:00 PM)
Amsterdam Tue 03-Dec-2019 20:00 (08:00 PM)
Moscow Tue 03-Dec-2019 22:00 (10:00 PM)
Chennai Wed 04-Dec-2019 00:30 (12:30 AM)
Hangzhou Wed 04-Dec-2019 03:00 (03:00 AM)
Tokyo Wed 04-Dec-2019 04:00 (04:00 AM)
Sydney Wed 04-Dec-2019 06:00 (06:00 AM)

Or in your local time:

  • http://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Standards%20Team+Meeting+2019-12-03&iso=20191203T19
  • or http://www.wolframalpha.com/input/?i=07PM+UTC%2C+Dec+03%2C+2019+in+local+time

Links

Agenda

Extracted from standards-agenda labelled issues and pull requests from the openjs-foundation org prior to the meeting.

openjs-foundation/standards

  • TC-53 Participation #24
  • Start accepting nominations for "active" members #23
  • Define and Document the on-boarding process for the Representative #14
  • Standards-related Travel Budget Clarification #6

Invited

  • OpenJS Foundation Cross Project Council
  • OpenJS Foundation Project Maintainers
  • OpenJS Foundation Board of Directors

Observers/Guests

Notes

The agenda comes from issues labelled with standards-agenda across all of the repositories in the openjs-foundation org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

link for participants: Zoom link: https://zoom.us/j/914623492

  • For those who just want to watch: https://livestream.openjsf.org

Invitees

Please use the following emoji reactions in this post to indicate your availability.

  • :+1: - Attending
  • :-1: - Not attending
  • :confused: - Not sure yet

closed time in 2 months

mhdawson

issue closedopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2019-11-19

Time

UTC Tue 19-Nov-2019 19:00 (07:00 PM):

Timezone Date/Time
US / Pacific Tue 19-Nov-2019 11:00 (11:00 AM)
US / Mountain Tue 19-Nov-2019 12:00 (12:00 PM)
US / Central Tue 19-Nov-2019 13:00 (01:00 PM)
US / Eastern Tue 19-Nov-2019 14:00 (02:00 PM)
London Tue 19-Nov-2019 19:00 (07:00 PM)
Amsterdam Tue 19-Nov-2019 20:00 (08:00 PM)
Moscow Tue 19-Nov-2019 22:00 (10:00 PM)
Chennai Wed 20-Nov-2019 00:30 (12:30 AM)
Hangzhou Wed 20-Nov-2019 03:00 (03:00 AM)
Tokyo Wed 20-Nov-2019 04:00 (04:00 AM)
Sydney Wed 20-Nov-2019 06:00 (06:00 AM)

Or in your local time:

  • http://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Standards%20Team+Meeting+2019-11-19&iso=20191119T19
  • or http://www.wolframalpha.com/input/?i=07PM+UTC%2C+Nov+19%2C+2019+in+local+time

Links

Agenda

Extracted from standards-agenda labelled issues and pull requests from the openjs-foundation org prior to the meeting.

openjs-foundation/standards

  • TC-53 Participation #24
  • Start accepting nominations for "active" members #23
  • Define and Document the on-boarding process for the Representative #14
  • Standards-related Travel Budget Clarification #6

Invited

  • OpenJS Foundation Cross Project Council
  • OpenJS Foundation Project Maintainers
  • OpenJS Foundation Board of Directors

Observers/Guests

Notes

The agenda comes from issues labelled with standards-agenda across all of the repositories in the openjs-foundation org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

link for participants: Zoom link: https://zoom.us/j/914623492

  • For those who just want to watch: https://livestream.openjsf.org

Invitees

Please use the following emoji reactions in this post to indicate your availability.

  • :+1: - Attending
  • :-1: - Not attending
  • :confused: - Not sure yet

closed time in 2 months

mhdawson

issue closedopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2019-11-05

Time

UTC Tue 05-Nov-2019 19:00 (07:00 PM):

Timezone Date/Time
US / Pacific Tue 05-Nov-2019 11:00 (11:00 AM)
US / Mountain Tue 05-Nov-2019 12:00 (12:00 PM)
US / Central Tue 05-Nov-2019 13:00 (01:00 PM)
US / Eastern Tue 05-Nov-2019 14:00 (02:00 PM)
London Tue 05-Nov-2019 19:00 (07:00 PM)
Amsterdam Tue 05-Nov-2019 20:00 (08:00 PM)
Moscow Tue 05-Nov-2019 22:00 (10:00 PM)
Chennai Wed 06-Nov-2019 00:30 (12:30 AM)
Hangzhou Wed 06-Nov-2019 03:00 (03:00 AM)
Tokyo Wed 06-Nov-2019 04:00 (04:00 AM)
Sydney Wed 06-Nov-2019 06:00 (06:00 AM)

Or in your local time:

  • http://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Standards%20Team+Meeting+2019-11-05&iso=20191105T19
  • or http://www.wolframalpha.com/input/?i=07PM+UTC%2C+Nov+05%2C+2019+in+local+time

Links

Agenda

Extracted from standards-agenda labelled issues and pull requests from the openjs-foundation org prior to the meeting.

openjs-foundation/standards

  • TC-53 Participation #24
  • Start accepting nominations for "active" members #23
  • Define and Document the on-boarding process for the Representative #14
  • Standards-related Travel Budget Clarification #6

Invited

  • OpenJS Foundation Cross Project Council
  • OpenJS Foundation Project Maintainers
  • OpenJS Foundation Board of Directors

Observers/Guests

Notes

The agenda comes from issues labelled with standards-agenda across all of the repositories in the openjs-foundation org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

link for participants: Zoom link: https://zoom.us/j/914623492

  • For those who just want to watch: https://livestream.openjsf.org

Invitees

Please use the following emoji reactions in this post to indicate your availability.

  • :+1: - Attending
  • :-1: - Not attending
  • :confused: - Not sure yet

closed time in 2 months

mhdawson

issue closedopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2019-10-22

Time

UTC Tue 22-Oct-2019 18:00 (06:00 PM):

Timezone Date/Time
US / Pacific Tue 22-Oct-2019 11:00 (11:00 AM)
US / Mountain Tue 22-Oct-2019 12:00 (12:00 PM)
US / Central Tue 22-Oct-2019 13:00 (01:00 PM)
US / Eastern Tue 22-Oct-2019 14:00 (02:00 PM)
London Tue 22-Oct-2019 19:00 (07:00 PM)
Amsterdam Tue 22-Oct-2019 20:00 (08:00 PM)
Moscow Tue 22-Oct-2019 21:00 (09:00 PM)
Chennai Tue 22-Oct-2019 23:30 (11:30 PM)
Hangzhou Wed 23-Oct-2019 02:00 (02:00 AM)
Tokyo Wed 23-Oct-2019 03:00 (03:00 AM)
Sydney Wed 23-Oct-2019 05:00 (05:00 AM)

Or in your local time:

  • http://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Standards%20Team+Meeting+2019-10-22&iso=20191022T18
  • or http://www.wolframalpha.com/input/?i=06PM+UTC%2C+Oct+22%2C+2019+in+local+time

Links

Agenda

Extracted from standards-agenda labelled issues and pull requests from the openjs-foundation org prior to the meeting.

openjs-foundation/standards

  • TC-53 Participation #24
  • Start accepting nominations for "active" members #23
  • Document governance for the standards-wg #19
  • Define and Document the on-boarding process for the Representative #14
  • Define and Document requirements for the (Standards) Representative #13
  • Standards-related Travel Budget Clarification #6

Invited

  • OpenJS Foundation Cross Project Council
  • OpenJS Foundation Project Maintainers
  • OpenJS Foundation Board of Directors

Observers/Guests

Notes

The agenda comes from issues labelled with standards-agenda across all of the repositories in the openjs-foundation org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

link for participants: Zoom link: https://zoom.us/j/914623492

  • For those who just want to watch: https://livestream.openjsf.org

Invitees

Please use the following emoji reactions in this post to indicate your availability.

  • :+1: - Attending
  • :-1: - Not attending
  • :confused: - Not sure yet

closed time in 2 months

mhdawson

issue closedopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2019-09-10

Time

UTC Tue 10-Sep-2019 18:00 (06:00 PM):

Timezone Date/Time
US / Pacific Tue 10-Sep-2019 11:00 (11:00 AM)
US / Mountain Tue 10-Sep-2019 12:00 (12:00 PM)
US / Central Tue 10-Sep-2019 13:00 (01:00 PM)
US / Eastern Tue 10-Sep-2019 14:00 (02:00 PM)
London Tue 10-Sep-2019 19:00 (07:00 PM)
Amsterdam Tue 10-Sep-2019 20:00 (08:00 PM)
Moscow Tue 10-Sep-2019 21:00 (09:00 PM)
Chennai Tue 10-Sep-2019 23:30 (11:30 PM)
Hangzhou Wed 11-Sep-2019 02:00 (02:00 AM)
Tokyo Wed 11-Sep-2019 03:00 (03:00 AM)
Sydney Wed 11-Sep-2019 04:00 (04:00 AM)

Or in your local time:

  • http://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Standards%20Team+Meeting+2019-09-10&iso=20190910T18
  • or http://www.wolframalpha.com/input/?i=06PM+UTC%2C+Sep+10%2C+2019+in+local+time

Links

Agenda

Extracted from standards-agenda labelled issues and pull requests from the openjs-foundation org prior to the meeting.

openjs-foundation/standards

  • Document governance for the standards-wg #19
  • Define and Document the on-boarding process for the Representative #14
  • Define and Document requirements for the (Standards) Representative #13
  • Standards-related Travel Budget Clarification #6

Invited

  • OpenJS Foundation Cross Project Council
  • OpenJS Foundation Project Maintainers
  • OpenJS Foundation Board of Directors

Observers/Guests

Notes

The agenda comes from issues labelled with standards-agenda across all of the repositories in the openjs-foundation org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

link for participants: Zoom link: https://zoom.us/j/914623492

  • For those who just want to watch: https://livestream.openjsf.org

Invitees

Please use the following emoji reactions in this post to indicate your availability.

  • :+1: - Attending
  • :-1: - Not attending
  • :confused: - Not sure yet

closed time in 2 months

mhdawson

issue closedopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2019-08-27

Time

UTC Tue 27-Aug-2019 18:00 (06:00 PM):

Timezone Date/Time
US / Pacific Tue 27-Aug-2019 11:00 (11:00 AM)
US / Mountain Tue 27-Aug-2019 12:00 (12:00 PM)
US / Central Tue 27-Aug-2019 13:00 (01:00 PM)
US / Eastern Tue 27-Aug-2019 14:00 (02:00 PM)
London Tue 27-Aug-2019 19:00 (07:00 PM)
Amsterdam Tue 27-Aug-2019 20:00 (08:00 PM)
Moscow Tue 27-Aug-2019 21:00 (09:00 PM)
Chennai Tue 27-Aug-2019 23:30 (11:30 PM)
Hangzhou Wed 28-Aug-2019 02:00 (02:00 AM)
Tokyo Wed 28-Aug-2019 03:00 (03:00 AM)
Sydney Wed 28-Aug-2019 04:00 (04:00 AM)

Or in your local time:

  • http://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Standards%20Team+Meeting+2019-08-27&iso=20190827T18
  • or http://www.wolframalpha.com/input/?i=06PM+UTC%2C+Aug+27%2C+2019+in+local+time

Links

Agenda

Extracted from standards-agenda labelled issues and pull requests from the openjs-foundation org prior to the meeting.

Invited

  • OpenJS Foundation Cross Project Council
  • OpenJS Foundation Project Maintainers
  • OpenJS Foundation Board of Directors

Observers/Guests

Notes

The agenda comes from issues labelled with standards-agenda across all of the repositories in the openjs-foundation org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

link for participants: Zoom link: https://zoom.us/j/914623492

  • For those who just want to watch: https://livestream.openjsf.org

Invitees

Please use the following emoji reactions in this post to indicate your availability.

  • :+1: - Attending
  • :-1: - Not attending
  • :confused: - Not sure yet

closed time in 2 months

mhdawson

issue closedopenjs-foundation/standards

OpenJS Foundation Standards Team Meeting 2019-08-13

Time

UTC Tue 13-Aug-2019 18:00 (06:00 PM):

Timezone Date/Time
US / Pacific Tue 13-Aug-2019 11:00 (11:00 AM)
US / Mountain Tue 13-Aug-2019 12:00 (12:00 PM)
US / Central Tue 13-Aug-2019 13:00 (01:00 PM)
US / Eastern Tue 13-Aug-2019 14:00 (02:00 PM)
London Tue 13-Aug-2019 19:00 (07:00 PM)
Amsterdam Tue 13-Aug-2019 20:00 (08:00 PM)
Moscow Tue 13-Aug-2019 21:00 (09:00 PM)
Chennai Tue 13-Aug-2019 23:30 (11:30 PM)
Hangzhou Wed 14-Aug-2019 02:00 (02:00 AM)
Tokyo Wed 14-Aug-2019 03:00 (03:00 AM)
Sydney Wed 14-Aug-2019 04:00 (04:00 AM)

Or in your local time:

  • http://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Standards%20Team+Meeting+2019-08-13&iso=20190813T18
  • or http://www.wolframalpha.com/input/?i=06PM+UTC%2C+Aug+13%2C+2019+in+local+time

Links

Agenda

Extracted from standards-agenda labelled issues and pull requests from the openjs-foundation org prior to the meeting.

Invited

  • OpenJS Foundation Cross Project Council
  • OpenJS Foundation Project Maintainers
  • OpenJS Foundation Board of Directors

Observers/Guests

Notes

The agenda comes from issues labelled with standards-agenda across all of the repositories in the openjs-foundation org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

link for participants: Zoom link: https://zoom.us/j/914623492

  • For those who just want to watch: https://livestream.openjsf.org

Invitees

Please use the following emoji reactions in this post to indicate your availability.

  • :+1: - Attending
  • :-1: - Not attending
  • :confused: - Not sure yet

closed time in 2 months

mhdawson

delete branch mikesamuel/cross-project-council

delete branch : fix-linty-bits

delete time in 2 months

PR opened openjs-foundation/cross-project-council

fix markdown typos to make `npm run lint-md` run clean

This should not affect the display or semantic content of either edited file.

Travis CI warned on some lint-md errors in an unrelated PR.

+4 -4

0 comment

2 changed files

pr created time in 2 months

create barnchmikesamuel/cross-project-council

branch : fix-linty-bits-2

created branch time in 2 months

create barnchmikesamuel/cross-project-council

branch : fix-linty-bits

created branch time in 2 months

Pull request review commentopenjs-foundation/standards

update standards calendar of events for remaining 2019 and known 2020

+# 2019 Calendar of Standards Meetings++This list is not exhaustive - it reflects meetings we may or may not be interested in sending an OpenJS Foundation representative to on our behalf.++## 2019++| Date     | Event | Location | SDO | +|----------|-------|----------|-----|+| 06.18-19 | TC53 In-person Meeting | Bay Area, CA | Ecma |+| 06.26-27 | Ecma International General Assembly Meeting | Geneva | Ecma |+| 07.23-25 | TC39 Plenary Meeting | Redmond | Ecma |+| 09.16-20 | TPAC 2019 | Japan | W3C |+| 09.18    | TC53 Meeting | Teleconference | Ecma | +| 10.01-03 | TC39 Plenary Meeting | NYC | Ecma |+| 10.29-30 | TC53 Plenary Meeting | Boston | Ecma |+| 11.20    | TC53 Meeting | Teleconference | Ecma |+| 12.03-05 | TC39 Plenary Meeting | Bay Area, CA | Ecma |+| 12.10-11 | Ecma International General Assembly Meeting | Tokyo | Ecma |+| 12.11    | TC53 Plenary Meeting | Tokyo | Ecma |++## 2020++| Date     | Event | Location | SDO | +|----------|-------|----------|-----|+| 02.04-06 | TC39 Plenary Meeting | University of Honolulu / JSConfHI | Ecma |+| 03.31-04.02 | TC39 Plenary Meeting | Cupertino, CA | Ecma |+| 05.17-19 | AC 2020 | Seoul | W3C |+| 06.02-04 | TC39 Plenary Meeting | Chicago | Ecma |+| 06.17-18 | Ecma International General Assembly Meeting | Geneva | Ecma |+| 07.21-23 | TC39 Plenary Meeting | Seattle | Ecma |+| 09.22-24 | TC39 Plenary Meeting | Tokyo | Ecma |+| 10.26-30 | TPAC 2020 | Vancouver | W3C |+| 11.17-19 | TC39 Plenary Meeting | TBD | Ecma |+| 12.09-10 | Ecma International General Assembly Meeting | TBD North America | Ecma |

@jorydotcom If you're comfortable enabling maintainer edits I'm happy to incorporate the CSS WG F2Fs.

jorydotcom

comment created time in 2 months

issue closedopenjs-foundation/standards

Interest in a follow-on TC39 proposals review call?

At the OpenJSF Collaborator Summit, I led a session presenting a few proposals at TC39, and talking them over with people present. It was really helpful for me, as a TC39 delegate, to hear your thoughts, and maybe it was interesting to some of you to hear about these proposals as well. If folks would be interested in having a similar conversation in September or October 2019 (but this time, in a call), I'd be happy to have another one.

closed time in 2 months

littledan

issue commentopenjs-foundation/standards

Interest in a follow-on TC39 proposals review call?

Closing since it seems like the collab summit is sorted. @littledan, please reopen if this was a mistake.

littledan

comment created time in 2 months

PR opened openjs-foundation/cross-project-council

Clarify that champion duties extend through incubation.

Fixes #400 per @joesepi's summary of consensus

Champion remains point of contact through incubation. Documentation needs to be updated to make that clear.

+3 -2

0 comment

1 changed file

pr created time in 2 months

create barnchmikesamuel/cross-project-council

branch : issue-400

created branch time in 2 months

issue closedtc39/dynamic-import-host-adjustment

Sync with asset references proposal

+@bmeck +@sebmarkbage

Per feedback from the last in-person meeting:

BFS: I’d like to note this has an effect on AssetReferences. They’d also require a similar change for non-string types, since they encode information on where the asset reference is formed, they're not something which can be forged or done with a string identity.

this proposal may overlap with asset references.

Off the top of my head, points of overlap include:

  • Both may affect the HostImportModuleDynamically to FinishDynamicImport flow.
  • Asset references may benefit from the changes to dynamic import to not stringify early.
  • If github.com/wicg/trusted-types defines a TrustedModuleSpecifier type then new AssetReference(...) should not stringify the value assigned to its [AssetSpecifier] internal slot.

closed time in 2 months

mikesamuel

pull request commentopenjs-foundation/standards

Disambiguate "meeting"

Does OpenJS prefer an approver merges, or author merges once approved?

mikesamuel

comment created time in 2 months

delete branch mikesamuel/website-copy

delete branch : patch-1

delete time in 2 months

push eventtc39/proposal-array-is-template-object

Mike Samuel

commit sha 6e51524576e311d230a5362e4fca661c23da44e0

Update README.md Co-Authored-By: Darien Maillet Valentine <valentinium@gmail.com>

view details

push time in 2 months

push eventtc39/proposal-array-is-template-object

Mike Samuel

commit sha 8cdec0294b9ad360e09741a5d1403e30f3fdbd63

Update README.md Co-Authored-By: Darien Maillet Valentine <valentinium@gmail.com>

view details

push time in 2 months

pull request commenttc39/proposal-array-is-template-object

Add practical example to explainer.

@gibson042 @bathos @jridgewell

I put together an example.

I've done some other work on tag functions that mark their output as trusted based on assumptions about the provenance of tag template inputs include:

Those are based on the outcome of the "Node Security Roadmap" discussion of Structured Strings

mikesamuel

comment created time in 3 months

push eventtc39/proposal-array-is-template-object

Mike Samuel

commit sha e1ae2aba7c86c2b88de23437f27ef84b11b7edbe

typo: wrong number of backticks in fenced code block

view details

push time in 3 months

PR opened tc39/proposal-array-is-template-object

Add practical example to explainer.

Fix #12

This does not meet @gibson042's requirement:

but does not demonstrate any use case in which a potential attacker has the ability to provide arguments to a sensitiveOperation function

but as explained on the issue, I think that's the wrong standard.

If we can assume some mechanism to solve provisioning, getting a sensitiveOperation to a tag function without providing it to all the tag function's potential callers, then an unbypassable isTemplateObject check can provide value.

Trusted Types has provisioning machinery, so the example uses that.

+104 -0

0 comment

1 changed file

pr created time in 3 months

create barnchtc39/proposal-array-is-template-object

branch : example-for-issue-12

created branch time in 3 months

issue commenttc39/proposal-array-is-template-object

Practical example needed

Will add examples to the explainer.

@gibson042 I'll try to avoid using grand language, but I'd like to ask a few questions to make sure examples address your core concerns.

The README case demonstrates that code can use Array.isTemplateObject to differentiate an array extracted from the static strings of a tagged template from other values, but does not demonstrate any use case in which a potential attacker has the ability to provide arguments to a sensitiveOperation function but does not have the ability to invoke it as a tagged template (or more generally, with an array that was produced from the static strings of an arbitrary tagged template).

Re the bolded text, I think there is value in tagged templates that sit in front of sensitive operations to provide safe abstractions.

Safe abstractions are often built using unsafe APIs. Google's internal toolchains try to limit the code that can use known-unsafe APIs.

  • static analyzers that look for uses of error-prone APIs and require that new uses get approval from someone expert in safely using those APIs.
  • mechanisms like TT, where there are a limited number of first-come-first-serve tokens that prevent arbitrary modules from performing a sensitive operation: in the case of TT, a sensitive constructor.
  • dynamic link-time enforcement: limiting which modules can load modules that export unsafe APIs.

Would you be happy with examples that assume a way to limit access to sensitiveOperation or do you want to see those moving parts as well?

Re "potential attacker", I haven't in my TC39 presos, explicitly stated the threat model. Do you have questions around who is an attacker? @waldemarhorwat talked about "confused deputy" and he's right that a lot of this work in limiting access to error-prone APIs involves guiding developers away from error-prone patterns towards safe abstractions so that the resulting code is less likely to be confusable. This means that the actors are not just (attacker, defender). Would you like to see that addressed as well or is that secondary to you?

gibson042

comment created time in 3 months

pull request commentopenjs-foundation/standards

Disambiguate "meeting"

@MylesBorins

should we include something about how an OpenJS delegate should be representing foundation perspective not just their own?

I think the language about "conflicts of interests" touches on that but seems worth clarifying.

I think it's out of scope for this PR. Shall I file a tracking issue along the lines of REQUIREMENTS.md should spell out that attending as an OpenJS Fdn comes with a duty to advocate the fdn's agenda

mikesamuel

comment created time in 3 months

issue commenttc39/dynamic-import-host-adjustment

In code asset reference declarations seem trustable

Filed w3c/webappsec-trusted-types/issues/247 to track dynamic asset references.

mikesamuel

comment created time in 3 months

issue openedw3c/webappsec-trusted-types

How to bless asset references

The TC39 asset reference +(@bmeck @sebmarkbage) separates information about modules from loading of modules.

Ir provides new syntax for [static asset references]:

asset Foo from "foo";
// Now the name Foo is an asset reference object which can be passed to import(...)

and API for dynamic asset references:

let assetReference = import.resolve("./foo" + fileExtension);

It would be nice if Trusted Types could recognize that

  • the "module-reference" in asset Name from "module-reference" is in the same protection domain as import * from "module-reference" when guarding dynamic import.
  • provide a policy function to bless at least one of
    • a dynamic asset reference
    • its underlying module specifier (perhaps before being passed to import.resolve.

import.resolve does not AFAICT, do any security work. No fetching happens. So it seems that import.resolve is not a sink.

created time in 3 months

issue commentarturbosch/detekt

EqualsAlwaysReturnsTrueOrFalse fails hard on `override fun equals(other:Any) = ...`

Sorry, should have upgraded to latest before posting. Thanks for making/maintaining detekt.

mikesamuel

comment created time in 3 months

issue openedtc39/dynamic-import-host-adjustment

Chat about dynamic import guards, asset references, and caching complications

Will post time once we've agreement and recording of call post.

Scope for discussion is tentatively issue #3 and #4.

created time in 3 months

issue commenttc39/dynamic-import-host-adjustment

Clarify effect on module loader cache and module reuse

Understood. I've been there :)

I'll send you a doodle. I'll ping MarkM and KevinG in case they're interested too.

mikesamuel

comment created time in 3 months

issue commenttc39/dynamic-import-host-adjustment

Sync with asset references proposal

I think issue #3 and issue #4 cover the main points.

mikesamuel

comment created time in 3 months

issue openedtc39/dynamic-import-host-adjustment

In code asset reference declarations seem trustable

When an asset reference statically includes a module reference, it seems we should privilege that to the same degree we privilege static import.

There's no reason to treat the "foo"s differently in

asset Foo from "foo";

import from "foo";

Perhaps TT could specify a host hook HostStaticAssetReference that, in a browser context, uses the realm's TrustedTypesPolicyFactory to bless "foo".

@bmeck

created time in 3 months

issue commenttc39/dynamic-import-host-adjustment

Clarify effect on module loader cache and module reuse

@bmeck That sounds lovely. Are you perchance in Montreal next week?

mikesamuel

comment created time in 3 months

issue openedtc39/proposal-dynamic-code-brand-checks

Host callout should provide enough information to determine flavour.

@erights

Sole blocker for stage 2 is that HostBeforeCompile does not have enough information to distinguish

  • indirect eval from direct eval
  • direct eval in strict mode from direct eval in sloppy mode

It currrently has enough info to distinguish

  • eval from <i>*Function</i> invocation
  • different <i>*Function</i> constructors from one another

That should remain true.

created time in 3 months

push eventtc39/dynamic-import-host-adjustment

Mike Samuel

commit sha 9ed6e9b17aebf29b98a08708ec6312883ef6f5b4

Update README.md

view details

push time in 3 months

issue openedtc39/dynamic-import-host-adjustment

Clarify effect on module loader cache and module reuse

Host internal caches key on strings to prevent repeated fetching and loading of semantically-equivalent module references. This proposal should not affect or complicate that.

@bmeck, you raised during plenary that implementations often have corner cases around garbage collection with cross-realm GC. Do I understand correctly that this is a concern re module-reference-string-wrapping objects in keys related to import(moduleReferenceFromAnotherRealm)? Or is that a separable issue?

created time in 3 months

push eventtc39/dynamic-import-host-adjustment

Mike Samuel

commit sha 9d38bf51b5fe4bcdc24de358898a680e7b0b126c

Update README.md

view details

push time in 3 months

issue openedarturbosch/detekt

EqualsAlwaysReturnsTrueOrFalse fails hard on `override fun equals(other:Any) = ...`

A minimal repro code sample below. It looks like the Detekt pass fails when there are zero return statements, e.g. when using fun equals(...) = expression syntax.

Stack Trace

The original exception message was: List is empty.
Running detekt '1.2.0' on Java '11.0.5-ea+10-post-Ubuntu-0ubuntu1' on OS 'Linux'.
If the exception message does not help, please feel free to create an issue on our GitHub page.
kotlin.collections.CollectionsKt___CollectionsKt.first(_Collections.kt:196)
io.gitlab.arturbosch.detekt.rules.bugs.EqualsAlwaysReturnsTrueOrFalse.isSingleReturnWithBooleanConstant(EqualsAlwaysReturnsTrueOrFalse.kt:71)
io.gitlab.arturbosch.detekt.rules.bugs.EqualsAlwaysReturnsTrueOrFalse.returnsBooleanConstant(EqualsAlwaysReturnsTrueOrFalse.kt:63)
io.gitlab.arturbosch.detekt.rules.bugs.EqualsAlwaysReturnsTrueOrFalse.visitNamedFunction(EqualsAlwaysReturnsTrueOrFalse.kt:52)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitNamedFunction(KtVisitorVoid.java:483)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitNamedFunction(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtNamedFunction.accept(KtNamedFunction.java:50)
org.jetbrains.kotlin.psi.KtElementImplStub.accept(KtElementImplStub.java:59)
org.jetbrains.kotlin.com.intellij.psi.impl.PsiElementBase.acceptChildren(PsiElementBase.java:69)
org.jetbrains.kotlin.psi.KtTreeVisitorVoid.visitElement(KtTreeVisitorVoid.java:25)
org.jetbrains.kotlin.psi.KtVisitor.visitKtElement(KtVisitor.java:24)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtElement(KtVisitorVoid.java:25)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtElement(KtVisitorVoid.java:447)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtElement(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtVisitor.visitClassBody(KtVisitor.java:98)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClassBody(KtVisitorVoid.java:89)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClassBody(KtVisitorVoid.java:537)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClassBody(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtClassBody.accept(KtClassBody.kt:38)
org.jetbrains.kotlin.psi.KtElementImplStub.accept(KtElementImplStub.java:59)
org.jetbrains.kotlin.com.intellij.psi.impl.PsiElementBase.acceptChildren(PsiElementBase.java:69)
org.jetbrains.kotlin.psi.KtTreeVisitorVoid.visitElement(KtTreeVisitorVoid.java:25)
org.jetbrains.kotlin.psi.KtVisitor.visitKtElement(KtVisitor.java:24)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtElement(KtVisitorVoid.java:25)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtElement(KtVisitorVoid.java:447)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtElement(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtVisitor.visitExpression(KtVisitor.java:182)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitExpression(KtVisitorVoid.java:169)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitExpression(KtVisitorVoid.java:659)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitExpression(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtVisitor.visitDeclaration(KtVisitor.java:29)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitDeclaration(KtVisitorVoid.java:29)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitDeclaration(KtVisitorVoid.java:453)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitDeclaration(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtVisitor.visitNamedDeclaration(KtVisitor.java:398)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitNamedDeclaration(KtVisitorVoid.java:381)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitNamedDeclaration(KtVisitorVoid.java:959)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitNamedDeclaration(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtVisitor.visitClassOrObject(KtVisitor.java:41)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClassOrObject(KtVisitorVoid.java:37)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClassOrObject(KtVisitorVoid.java:465)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClassOrObject(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtVisitor.visitClass(KtVisitor.java:33)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClass(KtVisitorVoid.java:33)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClass(KtVisitorVoid.java:459)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitClass(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtClass.accept(KtClass.kt:20)
org.jetbrains.kotlin.psi.KtElementImplStub.accept(KtElementImplStub.java:59)
org.jetbrains.kotlin.com.intellij.psi.impl.source.tree.SharedImplUtil.acceptChildren(SharedImplUtil.java:200)
org.jetbrains.kotlin.com.intellij.psi.impl.source.PsiFileImpl.acceptChildren(PsiFileImpl.java:735)
org.jetbrains.kotlin.psi.KtTreeVisitorVoid.visitElement(KtTreeVisitorVoid.java:25)
org.jetbrains.kotlin.com.intellij.psi.PsiElementVisitor.visitFile(PsiElementVisitor.java:34)
org.jetbrains.kotlin.psi.KtVisitor.visitKtFile(KtVisitor.java:73)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtFile(KtVisitorVoid.java:69)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtFile(KtVisitorVoid.java:513)
org.jetbrains.kotlin.psi.KtVisitorVoid.visitKtFile(KtVisitorVoid.java:21)
org.jetbrains.kotlin.psi.KtFile.accept(KtFile.kt:242)
org.jetbrains.kotlin.psi.KtFile.accept(KtFile.kt:229)
io.gitlab.arturbosch.detekt.api.BaseRule.visit(BaseRule.kt:53)
io.gitlab.arturbosch.detekt.api.BaseRule.visitFile(BaseRule.kt:43)
io.gitlab.arturbosch.detekt.api.RuleSet.accept(RuleSet.kt:35)
io.gitlab.arturbosch.detekt.core.Detektor.analyze(Detektor.kt:76)
io.gitlab.arturbosch.detekt.core.Detektor.runSync(Detektor.kt:44)
io.gitlab.arturbosch.detekt.core.Detektor.run(Detektor.kt:28)
io.gitlab.arturbosch.detekt.core.DetektFacade.run(DetektFacade.kt:41)
io.gitlab.arturbosch.detekt.cli.runners.Runner.execute(Runner.kt:29)
io.gitlab.arturbosch.detekt.cli.Main.main(Main.kt:16)

MinimalRepro.kt

package com.example

abstract class MinimalRepro {
    var childList = mutableListOf<Any>()

    open fun value(): Any? = null

    override fun equals(other: Any?): Boolean =
        if (other == null || this::class != other::class) {
            false
        } else {
            val otherSameType = other as MinimalRepro
            childList == otherSameType.childList && value() == otherSameType.value()
        }

    override fun hashCode() = childList.hashCode() + 31 * (value()?.hashCode() ?: 0)

}

Detekt Config

potential-bugs:
  active: true
  Deprecation:
    active: true
  DuplicateCaseInWhenExpression:
    active: true
  EqualsAlwaysReturnsTrueOrFalse:
    active: true

Version

From my build.gradle

plugins {
    id 'org.jetbrains.kotlin.multiplatform' version '1.3.60'
    id 'org.jlleitschuh.gradle.ktlint' version '9.1.1'
    id 'io.gitlab.arturbosch.detekt' version '1.2.0'
    id 'org.jetbrains.dokka' version '0.10.0'
}

Expected Behavior

No exception thrown.

Observed Behavior

Exception thrown. See above.

Steps to Reproduce

  • Put the above code snippet in src/commonMain/kotlin/com/example/MinimalRepro.kt
  • Add a build.gradle that loads detekt plugin 1.2.0 (see config snippet above) and that scans src/
  • gradle detekt

Observe stack trace.

Context

Workaround was to change fun equals(...) = ... to fun equals(...) { return ... }

Impact is low.

Your Environment

<!--- Include as many relevant details about the environment you experienced the bug in -->

  • Version of detekt used: 1.2.0
  • Version of Gradle used (if applicable):6.0.1
  • Operating System and version: Linux pop-os 5.3.0-22-generic#24+system76~1573659475~19.10~26b2022-Ubuntu SMP Wed Nov 13 20:0 x86_64 x86_64 x86_64 GNU/Linux
  • Link to your project (if it's a public repository): https://gitlab.com/temper-lang/pattern

created time in 3 months

more