ES Modules: suggestions for improvement

Jussi Kalliokoski jussi.kalliokoski at
Wed Jun 27 11:34:29 PDT 2012

> "For security, the Loader object could be frozen with Object.freeze to
> prevent additional changes."
> => This is not enough. People shouldn't have to opt-in for security,
> mostly because they don't do it. I woud call for security by default here
> and having "import <path>" call the built-in Loader.resolve instead of the
> dynamic one.
> If people want to override the Loader API, they would have to forget about
> syntax. Or a new syntax could be introduced, making clear that it's
> dangerous. Maybe something like "importDyn".

Sorry to arrive late to the party, but I don't see the security issue here.
Is this about third party scripts being able to change what modules get
loaded, to inject a malicious script into a module path? Why would they do
that if they already have script access and can import the malicious stuff
themselves? Or is this something about leaking secrets?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list