Another day, another package (uwu)
I found an interesting package when I was looking into the rainbowkit source: Lavamoat.
What it do?
Quoting @metamask’s Lavamoat blog here,
“JavaScript is the most popular language for developers by far and is also very prone to supply chain attacks. This vulnerability timeline from 2017 shows a solid half of the attacks originating from npm…”
Basically, a simple npm install can rek you and your users in all sorts of ways! From an install script stealing your private keys (hope you use a separate wallet for development), to injecting hidden functionality into your app, supply chain attacks can hit from multiple angles.
Thankfully, @kumavis_ rode his terminal to the future and brought us back Lavamoat.
There are a few tools offered by LavaMoat in their GitHub repo to avoid supply chain attacks at different stages, but today I’m going to show off @lavamoat/allow-scripts since it’s an easy starting point and prevents the most common supply chain attack vector: malicious install scripts.
And, it’s easy to use.
Here’s how:
Install the package (ironic I know, but stay with me here) with:
yarn add -D @lavamoat/allow-scripts
OR
npm i -D @lavamoat/allow-scripts
Setup, which adds a .yarnrc or .npmrc and the @lavamoat/preinstall-always-fail package to prevent preinstall scripts from running automatically, by doing:
yarn allow-scripts setup
OR
npx --no-install allow-scripts setup
Configure your package.json to run necessary scripts by running:
yarn allow-scripts auto
And editing the new lavamoat section in your package.json.
You can find more details and up-to-date instructions on their npm page!
Please subscribe to stay up-to-date with the latest and greatest in web3 frontends.
And please leave a comment / DM me on Twitter letting me know what you’d like to hear about next! Tutorials on building dApps? UI/UX critiques / refactors? Open to anything.
Thanks!
- 0xTARC