JavaScript applications use and rely on a lot of third-party code, including modules, packages, libraries, and in some cases even user-provided code for extensions and plug-ins. Too often, applications are fully vulnerable to these code dependencies, so not only do their current security vulnerabilities impact the applications, so do future vulnerabilities. Over night, any dependency could get “upgraded” into an exploit, resulting in a security breach like the event-stream incident.

This is where SES comes in. SES is a JavaScript runtime library for running such third-party code safely inside a featherweight compartment. SES stands for Secure ECMAScript, where ECMAScript is the standards name for JavaScript. SES addresses JavaScript’s lack of security. …

An engineering shortcut for some blockchains

Blockchains that run general programs use gas to abort runaway computations, and to charge for costs of execution. When the only requirement is to abort runaways, the pack of watchdogs mechanism proposed here can serve that purpose with less effort.

A pack of running beagles
A pack of running beagles


Blockchain computations consume “gas”, decrementing a remaining gas budget until it hits zero. The essential purpose of gas is to abort runaways — computations that take too long. An important, but often inessential, purpose of gas is to approximate the costs of computation, to compensate validators and incentivize efficiency. …

Why Large Languages Explode

Adapted from a 2015 es-discuss thread. “Common Lisp” is not the topic. It serves only as one of many illustrative counter-examples.

I have been on the JavaScript standards committee (TC39) since 2007. On TC39, we appreciate the value of language simplicity. But over time, we have lost our vigilance against encroaching complexity. We must better understand how that happens naturally, what the costs are if left unchecked, and what to do about it. This essay is addressed not just to TC39, but to all those who wish to influence the trajectory of the JavaScript standard or any standard facing similar pressures. …


Mark S. Miller

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store