Share a secret across ES6 specific modules, so that other modules cannot access the secret?

doodad-js Admin doodadjs at
Mon Apr 24 20:53:35 UTC 2017

If you are interested to look at it, I’ve implemented a module loader with a secret shared across the Doodad framework (1)(2) and not available outside that framework. A Doodad module consists of only one export (an “add” function) that injects the module payload into an object. That payload has some metadata and a “create” function that receives the root namespace (public) and shared stuff (protected, like the secret).



(I’m French, so please excuse me if I don’t elaborate more and/or if my English is not accurate)


From: Jordan Harband [mailto:ljharb at] 
Sent: Sunday, April 23, 2017 7:03 PM
To: /#!/JoePea <joe at>
Cc: es-discuss <es-discuss at>
Subject: Re: Share a secret across ES6 specific modules, so that other modules cannot access the secret?


Nope. This is exactly why it seems that "protected" couldn't have any way to work that has "hard" enforcement.


The only true privacy in JS is via closure (including WeakMaps), or via the upcoming "private fields" proposal, assuming it stays as "hard private". Anything shared is publicly accessible.


I'd be very interested to hear any idea that would allow modules A and B to privately share something, without module C being able to; the only thing I could think of would be some sort of private export that explicitly included a list of module specifiers that were allowed to import it - which would still not be secure whenever loader hooks exist.


On Sun, Apr 23, 2017 at 1:42 PM, /#!/JoePea <joe at <mailto:joe at> > wrote:

Is there a way to share some secret value across a few modules, and prevent other modules? f.e. prevent modules of an app dev who is importing modules of a library where the library wants to share private stuff across its modules. Is this possible to implement somehow?


WeakMaps can be encapsulated inside a module to implement "private" properties for a class defined inside that module and then exported. But "protected" can't be implemented with a WeakMap shared with modules because then end-user app code can import the WeakMap and read all the stuff. Is there some way to share a WeakMap private with classes defined across modules?


es-discuss mailing list
es-discuss at <mailto:es-discuss at>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list