Proof of Concept Insights - Removing the Promise Polyfill at RN

[bentobox19]

PoC

https://github.com/LavaMoat/docs/blob/main/react-native-and-ses-lockdown.md

Discussion

Even after forfeiting certain plugins, creating a custom preset the following error appears:

failed to delete intrinsics.Promise.resolve.prototype

Tracking on which procedure is replacing the built-in promise takes us to the following chain of facts:

• node_modules/react-native/Libraries/Core/InitializeCore.js

require('./setUpSystrace');
require('./setUpErrorHandling');
require('./polyfillPromise');
require('./setUpRegeneratorRuntime');
require('./setUpTimers');

• node_modules/react-native/Libraries/Core/polyfillPromise.js

if (global?.HermesInternal?.hasPromise?.()) {

//  <snippet>

} else {
  polyfillGlobal('Promise', () => require('../Promise'));
}

• node_modules/react-native/Libraries/Promise.js

const Promise = require('promise/setimmediate/es6-extensions');

which calls the Promise polyfill at node_modules/promise/src/es6-extensions.js.

PoC Solution

• Patch node_modules/react-native/Libraries/Core/InitializeCore.js ommenting the line

// require('./polyfillPromise');

Items of Action

Similar to #4

• Find out which procedure is actually calling to polyfill Promise
  • Suggestion (by @naugtur) Instead of patching RN we need to look at how they are checking the built-in promise on the global object because they shouldn't be ovewriting this.
• Maybe we want to create a transform for the build package to prevent babel regenerator to put these monkey patches.
  • So, if RN is changing things, we could change them back!
  • This approach avoids patches, avoids creating a custom preset, and require us to just add a plugin at babel.config.js just after the preset.

[leotm]

following up latest RN PoCs

• RN + SES: TypeError: undefined is not a function (near '...globalThis.process.on...') #11 iOS
• RN 0.66.5 + SES 0.18.1: Error failed to del intrinsics.%AsyncGenerator%.length #16 Android

we only have warnings instead of previous errors 🎉

• RN/MMM + SES: 20 Promise warnings #13 Android/iOS JSC
  • also [V8] RN 0.66.5 + SES 0.18.1: 31 warnings #14 Android/iOS v8

tolerable as we have fully functioning Android/iOS RN apps
ignorable via RN's internal LogBox like we're doing

so we can close this as no longer blocking
now under more complete analysis in above issue

in order to fix SES-detected non-standard Promiseness on either

• Promise polyfill: then/promise/src/... (polyfilled via RN by default)
• RN (4) JS engines: android/ios jsc/v8 (if non-standard)
  • RN Core: then remove Promise polyfill no longer needed (if engines non-standard and resolved)
  • nb: Updating 4 engines in diff repo's likely why polyfilling via RN
• SES: endojs/endo/packages/ses/... whitelist (until above resolved)

to arrive at 0 warnings