fix(Code Node): Upgrade pyodide, sandbox it, and prevent JS sandbox escape (#14356)

2025-12-16 09:36:44 +00:00 · 2025-04-23 14:41:48 +02:00
parent 9021e195fa
commit 6c9c720ae9
6 changed files with 42 additions and 59 deletions
--- a/patches/pyodide@0.23.4.patch
+++ b/patches/pyodide@0.23.4.patch
@@ -1,20 +0,0 @@
-diff --git a/pyodide.d.ts b/pyodide.d.ts
-index d5ed46f6345855a75ec6f2b7ef73237a0af64a7e..e0087c83792558ca30713e9d07a9a37625f68d8d 100644
--- a/pyodide.d.ts
-+++ b/pyodide.d.ts
-@@ -1118,6 +1118,15 @@ export declare function loadPyodide(options?: {
- 	 * (``pyodide.js`` or ``pyodide.mjs``) removed.
- 	 */
- 	indexURL?: string;
-+	/**
-+	 * The file path where packages will be cached in `node.js`. If a package
-+	 * exists in `packageCacheDir` it is loaded from there, otherwise it is
-+	 * downloaded from the JsDelivr CDN and then cached into `packageCacheDir`.
-+	 * Only applies when running in node.js. Ignored in browsers.
-+	 *
-+	 * Default: same as indexURL
-+	 */
-+	packageCacheDir?: string;
- 	/**
- 	 * file. You can produce custom lock files with :py:func:`micropip.freeze`.
- 	 * Default: ```${indexURL}/repodata.json```