It might be _the_ fastest chat platform right now. Other things like Whatsapp, Messenger, Telegram, Signal, Matrix/Element, Discord, Slack, Rocket Chat, Mattermost (and all the platforms that implement some kind of a chat by now), are all significantly slower. Sending messages takes longer, UI is slower, everything is slower somehow. The only exception that I know of being IRC.
It also allowed tree-shaped groups, you can nest as many as you like depending on your needs. It's so handy compared to the limited server/channel/thread logic elsewhere.
> all the malware did was modify the destination addresses of cryptocurrency payments mediated via online wallets like MetaMask
A clarification: Despite MetaMask depending on the compromised packages it was not directly affected because:
1) packages were not updated while the compromise was live
2) MetaMask uses LavaMoat for install-time and run-time protections against compromised packages
However the payload did attempt to compromise other pages that interact with wallets like MetaMask.
have you considered using js polyfills to help you get closer to 100% coverage and then replacing with native implementations prioritized by performance impact?
Not really, no. Its an interesting proposition, but for the most part I believe I'll be sticking it out the "hard way". The ECMAScript spec is fairly easy to read as well, after all. (Nevermind that I spent the single free hour I had today cursing at my incapability of understanding what is going wrong with my iterator code and what it even should do vis-à-vis the spec :D )
This is similar to my work on LavaMoat (https://lavamoat.github.io/) which provides runtime supplychain security protections to js apps (nodejs or browser) by eliminating ambient authority and only exposing global capabilities per npm package according user-specified policy. LavaMoat is used in production at MetaMask, protecting ~300M users.
Caja's spiritual successor is HardenedJS (https://hardenedjs.org/), authored by some of the same folks (Mark Miller + friends). As I understand it, Caja attempted to secure not just javascript but the DOM as well, which ultimately proved to be a too large, interconnected, and rapidly changing surface to keep up with.
LavaMoat (https://lavamoat.github.io/), while not quite object capabilities, builds on HardenedJS to provide runtime supplychain security protections to js apps (nodejs or browser) by eliminating ambient authority and only exposing global capabilities per npm package according user-specified policy. LavaMoat is used in production at MetaMask, protecting ~300M users.
OCapN (https://github.com/ocapn/ocapn/) is a nascent effort to standardize a distributed object capability protocol (transferring capabilities across mutually distrusting peers).
