Replace Nashorn with GraalVM JS Engine #3233
Conversation
this is required for JDK 15+ compatibility (Nashorn was removed in JDK 15)
BlasiusSecundus
force-pushed
the
feature/2312-replace-nashorn-engine-with-graalvm
branch
from
5532191
to
daacd21
Compare
apanicker-nflx
changed the title
| @@ -105,6 +105,7 @@ public Javascript validate() { | |||
| LOGGER.error("missing " + ENGINE + " engine. Ensure you are running supported JVM"); | |||
| return this; | |||
| } | |||
| scriptEngine.put("polyglot.js.allowHostAccess", true); | |||
There was a problem hiding this comment.
This is required to access Java objects bound as input. (Nashorn allows this by default, but GraalVM requires explicit setting for security reasons: https://www.graalvm.org/22.2/reference-manual/js/NashornMigrationGuide/#secure-by-default). You can validate this by removing the line and running the tests: it will result in errors like this: TypeError: Cannot read property 'testKey1' of undefined
This is equivalent to HostAccess.ALL (see https://www.graalvm.org/22.2/reference-manual/js/ScriptEngine/) which should be identical to the Nashorn behavior.
An alternative would be to use HostAccess.EXPLICIT for greater security, but that would result in a breaking change.
To my understanding, workflows are considered part of the source code of the host application and can be trusted at the same level, thus this should not pose a security risk.
|
This PR is stale, because it has been open for 45 days with no activity. Remove the stale label or comment, or this will be closed in 7 days. |
|
This PR was closed, because it has been stalled for 7 days with no activity. |
|
Is there any technical reason this cannot be merged? Java 11 active support ends in two months: https://endoflife.date/java |
Pull Request type
Changes in this PR
Issue #2312 replace Nashorn with GraalVM JS Engine
Nashorn is deprecated in JDK 11 and removed in JDK 15, resulting in runtime errors (and test failures) on JDK 15+