-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Actions and Reducer production warning. #1011
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Skipped Deployment
|
@@ -15,6 +15,7 @@ keywords: | |||
--- | |||
|
|||
:::caution Warning | |||
Actions and Reducers are still in development and currently are not safe to use in production applications. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer if this caveat refered to the Reducer
API from o1js in particular, and not to the general concept of actions and reducers.
At the protocol level, safe use of actions is very possible, if you implement a better reducer (the upcoming BatchReducer
being an example).
Also, we should say why Reducer
is not safe to use: Because the reduce()
method breaks (completely) if more than a hard-coded number of actions are pending (default: 32).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer if this caveat refered to the Reducer API from o1js in particular, and not to the general concept of actions and reducers.
Good idea. Do you think this location is still an appropriate place to add the caveat?
Also, we should say why Reducer is not safe to use: Because the reduce() method breaks (completely) if more than a hard-coded number of actions are pending (default: 32).
This was the plan. I was deciding if it made sense to either have a short description in this location with the caveat or to link to a longer description somewhere else, and where a long description would live in the docs if we went that direction.
@mitschabaude I was also working on adding similar warnings to some of the examples in the o1js repo. Maybe it makes sense to add the caveat(temporary until we completely update the reducer) to the o1js reducer doc comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think this location is still an appropriate place to add the caveat?
Yes definitely, it's the right place!
This was the plan. I was deciding if it made sense to either have a short description in this location with the caveat or to link to a longer description somewhere else, and where a long description would live in the docs if we went that direction.
Gotcha, both works. A longer description could live as a new "security best practice" (subsection on the zkapp security docs) here: https://docs.minaprotocol.com/zkapps/writing-a-zkapp/introduction-to-zkapps/secure-zkapps#best-practices-for-zkapp-security
Closes #1013
This PR adds a warning about the current limitation of the
o1js
reducer api. A note was also added that work is in progress to mitigate the current limitation.