Share a secret across ES6 specific modules, so that other modules cannot access the secret?

Bradley Meck bradley.meck at
Mon Apr 24 19:34:22 UTC 2017

To an extent, yes. You can use hoisting of function declarations and
circular dependencies to create a "gateway". During circular dependencies,
you have a time where function declarations are available but evaluation
has not occured. During that time you can setup your private state. Then,
immediately on evaluation, remove your gateway.

// file: ./secrets

// import all friendly modules (note: all dependencies of these modules
could access GATEWAY)
import './a'
GATEWAY = void 0;

// storage for shared secrets
// gateway
function GATEWAY() {
  if (!SECRET) SECRET = {};
  return SECRET;
export {GATEWAY};

// file: ./a
import {GATEWAY} from './secrets';
if (typeof GATEWAY !== 'function') {
  throw Error('import secrets *first*.');

With Realms ( you may be able to
use the completion value of Module Evaluation to also achieve a way to
share private state in a more sane way. VM implementations allow this in
some ways as well :

On Sun, Apr 23, 2017 at 6:02 PM, Jordan Harband <ljharb at> wrote:

> Nope. This is exactly why it seems that "protected" couldn't have any way
> to work that has "hard" enforcement.
> The only true privacy in JS is via closure (including WeakMaps), or via
> the upcoming "private fields" proposal, assuming it stays as "hard
> private". Anything shared is publicly accessible.
> I'd be very interested to hear any idea that would allow modules A and B
> to privately share something, without module C being able to; the only
> thing I could think of would be some sort of private export that explicitly
> included a list of module specifiers that were allowed to import it - which
> would still not be secure whenever loader hooks exist.
> On Sun, Apr 23, 2017 at 1:42 PM, /#!/JoePea <joe at> wrote:
>> Is there a way to share some secret value across a few modules, and
>> prevent other modules? f.e. prevent modules of an app dev who is importing
>> modules of a library where the library wants to share private stuff across
>> its modules. Is this possible to implement somehow?
>> WeakMaps can be encapsulated inside a module to implement "private"
>> properties for a class defined inside that module and then exported. But
>> "protected" can't be implemented with a WeakMap shared with modules because
>> then end-user app code can import the WeakMap and read all the stuff. Is
>> there some way to share a WeakMap private with classes defined across
>> modules?
>> */#!/*JoePea
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at
> _______________________________________________
> es-discuss mailing list
> es-discuss at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list