fix(picky-wasm): [SECURITY] remove wee_alloc dependency

`wee_alloc` crate is currently unmaintained and has a few open issues. In particular, one of these issue is an unbounded memeroy leak. As such, we stop considering this crate as production-ready and switch to the default Rust standard allocator in newer NPM packages. - rustwasm/wee_alloc#106 - rustwasm/wee_alloc#107 - https://rustsec.org/advisories/RUSTSEC-2022-0054.html Issue: ARC-98
Devolutions · Sep 19, 2022 · 64c9a82 · 64c9a82
1 parent ba2753e
commit 64c9a82
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 74 deletions.
diff --git a/ffi/wasm/Cargo.lock b/ffi/wasm/Cargo.lock
diff --git a/ffi/wasm/Cargo.toml b/ffi/wasm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "picky"
-version = "0.4.0"
+version = "0.4.1"
 authors = ["Benoît CORTIER <bcortier@proton.me>"]
 edition = "2021"
 publish = false
@@ -35,13 +35,6 @@ serde_json = "1.0.82"
 # code size when deploying.
 console_error_panic_hook = { version = "0.1.7", optional = true }
 
-# `wee_alloc` is a tiny allocator for wasm that is only ~1K in code size
-# compared to the default allocator's ~10K. It is slower than the default
-# allocator, however.
-#
-# Unfortunately, `wee_alloc` requires nightly Rust when targeting wasm for now.
-wee_alloc = { version = "0.4.5", optional = true }
-
 getrandom = { version = "0.2.7", features = ["js"] }
 
 [dev-dependencies]

diff --git a/ffi/wasm/README.md b/ffi/wasm/README.md
@@ -11,7 +11,7 @@ This should be run in the CI.
 2. Build the package: 
 
     ```
-    $ wasm-pack build --target web --scope devolutions --out-name picky --features wee_alloc
+    $ wasm-pack build --target web --scope devolutions --out-name picky
     ```
 
 3. Rename `@devolutions/picky-wasm` to `@devolutions/picky` in `pkg/package.json`.
@@ -34,7 +34,7 @@ Other tests are run using `nodejs` and the `ava` testing framework.
 For these, you need to build the npm package targeting `nodejs`:
 
 ```
-$ wasm-pack build --target nodejs --scope @devolutions --out-name picky --features wee_alloc
+$ wasm-pack build --target nodejs --scope @devolutions --out-name picky
 ```
 
 Rename `@devolutions/picky-wasm` to `@devolutions/picky` in `pkg/package.json`.

diff --git a/ffi/wasm/publish.ps1 b/ffi/wasm/publish.ps1
@@ -2,7 +2,7 @@
 
 $ErrorActionPreference = "Stop"
 
-wasm-pack build --target bundler --scope devolutions --out-name picky --features wee_alloc
+wasm-pack build --target bundler --scope devolutions --out-name picky
 
 if ($LastExitCode -ne 0)
 {

diff --git a/ffi/wasm/src/lib.rs b/ffi/wasm/src/lib.rs
@@ -7,12 +7,6 @@ pub mod pem;
 
 use wasm_bindgen::prelude::*;
 
-// When the `wee_alloc` feature is enabled, use `wee_alloc` as the global
-// allocator.
-#[cfg(festure = "wee_alloc")]
-#[global_allocator]
-static ALLOC: wee_alloc::WeeAlloc = wee_alloc::WeeAlloc::INIT;
-
 #[wasm_bindgen(start)]
 pub fn init_picky() -> Result<(), JsValue> {
     // When the `console_error_panic_hook` feature is enabled, we can call the