With the rise in supply chain attacks and OSS dependencies being used as a attack vector, Microsoft is working with our ecosystem partners, such as the Linux Foundation's OpenSSF, to enable OSS consumers to track packages back to their public sources.
We've identified that the following packages published to NPM do not report where sources can be found, typically accomplished by including a link to your GitHub repository in your `package.json` REPOSITORY field. This PR was created to add this value, ensuring future releases will include this provenance information.
Published NPM packages with repository information:
*satcheljs
`global` is a value in NodeJS, and is polyfilled by webpack, but it is not defined in any browser context. `globalThis` is meant to act as the global reference in all contexts, but is only implemented in Edge/Chrome >= 71, Firefox >= 65, Safari >= 12.1, and NodeJS >= 12
This change replaces all references to `global` with `globalObject`, a value that is initialized to point to either `globalThis`, `window`, or `global`, depending on which is defined.
This change improves `mutatorAction` typings to return a function with the same parameters as the input function, rather than simply `(...args: any[]) => void`
This addresses #129. The fix was simple; we already have this check for normal mutators, so the fix is to pass the return value through so that the same check can apply to mutator actions.
Using bound functions instead of anonymous functions helps reduce the depth of the call stack between the point where an action is invoked and the point where the respective method is called, making it easier to read the call stack while debugging.
I noticed that the TravisCI build was not failing even when there were legitimate test failures. I'm still not sure what the root of the problem was, but it led me down a rabbit hole of fixes:
1. Simplify the `.travis.yml` script. There's no reason not to just run build+tests on every build.
2. Switch to using `ts-jest` instead of our own custom transform...
3. ...Which led to updating `typescript` and `jest`...
4. ...Which involved a small handful of dev and test code fixes.
For various historical reasons dispatch hasn't been wrapped in `transaction` since an early version of Satchel. This means that every subscriber to an action executes in its own transaction, possibly causing multiple unnecessary renders. Now that we've updated to MobX v4, it's possible to use `transaction` again.
The change to actual source code is trivial; the rest of the change is test code to validate that we're handling the transaction correctly.
There are actually two things going on here:
1. Update to latest MobX 4.x release. In this version the [API for turning on strict mode](https://github.com/mobxjs/mobx/blob/gh-pages/docs/refguide/api.md#enforceactions) changed. (The old values are still accepted, but if you try to use them it prints an annoying warning to the console.)
2. Change our strict mode from `always` to `observed`. The main place this is an issue is when creating a `new ObservableMap()` in order to initialize a store. In `always` mode that would have to be done inside an action, which Satchel doesn't give a convenient way to do. The `observed` mode is the closest match to how strict mode worked in MobX 2.x.
This updates Satchel to the latest versions of `mobx` and `mobx-react`. There were a number of breaking API changes, including some (as far as I can tell) undocumented ones in the spying infrastructure. This will be in v4 of Satchel since consumers will be forced to take a new major version of MobX.
dependabot[bot]
Scott Mikula
microsoft-github-policy-service[bot]
Michael Loughry
jarmit
Microsoft Provenance Contributions
Lucas de Ávila Martins
Tim Zadorozhniy
Fabio Pintos
Eric Allen
Shoaib Bhimani