As with many platform independent language, JavaScript supports reflection but it does not include all of the Kotlin reflection API. It is restricted to the class corresponding to the given type. Even the class information is pared down to just the simpleName and isInstance members. The JavaScript class information can be found from the jsClass instance retrieved via the KClass. This can be used to interoperate with JS functions with the help of a reference to a constructor.
The Kotlin/gradle plugin also has some useful features for JavaScript integration with Kotlin. For example, the gradle plugin allows us to publish the javascript as resources using nonmodule reference to as content in a content distribution network represented by an S3 storage. The plugin directly publishes the jar and resources to the S3 storage.
The Kotlin/gradle plugin supports dead code elimination. This is often referred to as “tree shaking”. It reduces the size of the JavaScript code by removing unused properties, functions and classes. It does not minify the JavaScript. That can be done independent of this step. Some examples of unused declarations include inlined functions that never get called, module that uses a shared library such as the Kotlin standard library which is about 1.3 Mb while only a smaller portion of it might be needed to compile and any unused variables. The corresponding gradle task that invokes this step is ‘browserProductionWebpack’
Certain declarations help override elimination such as ‘dceTask’ block and ‘keep’ function. The parameter to this function must include the module name prefix-ed fully qualified name of the decaration. If the declaration is not recognized, it may need to be decorated in a documented manner.
The gradle plugin allows dependencies to be shown with the task by the same name. The dependencies task helps view the transitive dependencies other than what is included in build.gradle. This comes helpful to specify exclusion of older redundant dependencies, remove those with potential security vulnerability and specify upgrades to existing versions of transitive dependencies.
The CVE specific to Javascript/kotlin can be addressed with prudent use of dependencies and code changes. Code access security is not implemented either in JavaScript or Kotlin. The runtime can enhanced to make demands before code can be executed but jvm is already providing ability to sandbox so special language constructs for specific blocks of code are deemed unnecessary.
No comments:
Post a Comment