Code reviews of the js-sandbox crate // Lib.rs

RUSTSEC-2024-0403 on 2024-07-18: op_panic in the base runtime can force a panic in the runtime's containing thread

Affected versions use deno_core releases that expose Deno.core.ops.op_panic to the JS runtime in the base core

This function when called triggers a manual panic in the thread containing the runtime, breaking sandboxing

It can be fixed by stubbing out the exposed op:

Deno.core.ops.op_panic = (msg) => { throw new Error(msg) };

This crate has no reviews yet. To add a review, set up your cargo-crev.

Lib.rs has been able to verify that all files in the crate's tarball are in the crate's repository with a git tag matching the version. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open js-sandbox. Alternatively, you can download the tarball of js-sandbox v0.2.0-rc.2 or view the source online.