This is a proposal for addition to the CommonJS Modules spec to define the two separate options for the, as yet undefined, area of functionality surrounding modules and natives.
So far this area has been specifically left undefined as an implementation detail. However, it is the purpose of this proposal to recognize the necessity of explicitly specifying the two major options for how this should be implemented.
This proposal is meant to recognize how some implementations already work and give a name to the two separate existing standards. That way everyone should know what the differences are and the implications.
Modules (with global natives) "MGN"
Uses the same natives at the script which loads it.
Modifying the prototype of a native from within an MGN module would NOT limit those changes to the scope of the module.
Prior art: script tags in an html page in any browser. Each script runs in the same environment with access to the same natives.
Modules (with sandboxed natives) "MSB"
Uses fresh "sandboxed" natives.
Modifying the prototype of a native from within an MSB module would limit those changes to the scope of the module and its exports.
Instances of these "sandboxed" natives may be exported using `exports` or available from an exported closure.
Why do we need to specify this?
Also, making modules secure is a very important feature.
Not all implementations of CommonJS support the same things. It's important when talking about an environments support for CommonJS that we be explicit about exactly what level of support they have.
Giving these two Module options separate names and separate APIs is important in order to manage user expectation.
This proposal is less interested in the specific API implementation of each of these options as it is with specifying that they are separate and important things.
One option for the API would be to use a separate function name for requiring:
An alternative options would be to pass an additional argument to `require`
MSB: `require('sandbox-my-natives', true)`
"I personally prefer having separate function names since that's a bit clearer when reading the code. But I'm sure other people care about it more." — Thomas Aylott
These two specifications are not mutually exclusive.
An environment may claim CommonJS compliance if it implements at least one of these Modules specifications.
i.e. NodeJS could implement MGN and not MSB and still be a CommonJS compatible environment.
Extending native prototypes is the devil