diff --git a/docs/js_binary.md b/docs/js_binary.md
index 28343bcf0..7b1d1b15c 100644
--- a/docs/js_binary.md
+++ b/docs/js_binary.md
@@ -87,7 +87,7 @@ The following environment variables are made available to the Node.js runtime ba
| node_toolchain | The Node.js toolchain to use for this target.
See https://bazelbuild.github.io/rules_nodejs/Toolchains.html
Typically this is left unset so that Bazel automatically selects the right Node.js toolchain for the target platform. See https://bazel.build/extending/toolchains#toolchain-resolution for more information. | Label | optional | None
|
| patch_node_fs | Patch the to Node.js fs
API (https://nodejs.org/api/fs.html) for this node program to prevent the program from following symlinks out of the execroot, runfiles and the sandbox.
When enabled, js_binary
patches the Node.js sync and async fs
API functions lstat
, readlink
, realpath
, readdir
and opendir
so that the node program being run cannot resolve symlinks out of the execroot and the runfiles tree. When in the sandbox, these patches prevent the program being run from resolving symlinks out of the sandbox.
When disabled, node programs can leave the execroot, runfiles and sandbox by following symlinks which can lead to non-hermetic behavior. | Boolean | optional | True
|
| preserve_symlinks_main | When True, the --preserve-symlinks-main flag is passed to node.
This prevents node from following an ESM entry script out of runfiles and the sandbox. This can happen for .mjs
ESM entry points where the fs node patches, which guard the runfiles and sandbox, are not applied. See https://github.com/aspect-build/rules_js/issues/362 for more information. Once #362 is resolved, the default for this attribute can be set to False.
This flag was added in Node.js v10.2.0 (released 2018-05-23). If your node toolchain is configured to use a Node.js version older than this you'll need to set this attribute to False.
See https://nodejs.org/api/cli.html#--preserve-symlinks-main for more information. | Boolean | optional | True
|
-| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.
These are enabled with the --allow_unresolved_symlinks
flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).
Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | optional | False
|
+| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.
These are enabled with the --allow_unresolved_symlinks
flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).
Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | required | |
@@ -147,7 +147,7 @@ the contract between Bazel and a test runner.
| node_toolchain | The Node.js toolchain to use for this target.
See https://bazelbuild.github.io/rules_nodejs/Toolchains.html
Typically this is left unset so that Bazel automatically selects the right Node.js toolchain for the target platform. See https://bazel.build/extending/toolchains#toolchain-resolution for more information. | Label | optional | None
|
| patch_node_fs | Patch the to Node.js fs
API (https://nodejs.org/api/fs.html) for this node program to prevent the program from following symlinks out of the execroot, runfiles and the sandbox.
When enabled, js_binary
patches the Node.js sync and async fs
API functions lstat
, readlink
, realpath
, readdir
and opendir
so that the node program being run cannot resolve symlinks out of the execroot and the runfiles tree. When in the sandbox, these patches prevent the program being run from resolving symlinks out of the sandbox.
When disabled, node programs can leave the execroot, runfiles and sandbox by following symlinks which can lead to non-hermetic behavior. | Boolean | optional | True
|
| preserve_symlinks_main | When True, the --preserve-symlinks-main flag is passed to node.
This prevents node from following an ESM entry script out of runfiles and the sandbox. This can happen for .mjs
ESM entry points where the fs node patches, which guard the runfiles and sandbox, are not applied. See https://github.com/aspect-build/rules_js/issues/362 for more information. Once #362 is resolved, the default for this attribute can be set to False.
This flag was added in Node.js v10.2.0 (released 2018-05-23). If your node toolchain is configured to use a Node.js version older than this you'll need to set this attribute to False.
See https://nodejs.org/api/cli.html#--preserve-symlinks-main for more information. | Boolean | optional | True
|
-| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.
These are enabled with the --allow_unresolved_symlinks
flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).
Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | optional | False
|
+| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.
These are enabled with the --allow_unresolved_symlinks
flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).
Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | required | |
diff --git a/js/private/js_binary.bzl b/js/private/js_binary.bzl
index afc7b84ab..3970f61fb 100644
--- a/js/private/js_binary.bzl
+++ b/js/private/js_binary.bzl
@@ -267,8 +267,7 @@ _ATTRS = {
attribute based on a `config_setting` rule.
See /js/private/BUILD.bazel in rules_js for an example.
""",
- # TODO(2.0): make this mandatory so that downstream binary rules that inherit these attributes are required to set it
- mandatory = False,
+ mandatory = True,
),
"node_toolchain": attr.label(
doc = """The Node.js toolchain to use for this target.