feat: lavamoat #712
Open
feat: lavamoat #712
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andreabadesso
force-pushed
the
feat/lavamoat
branch
2 times, most recently
from
c39da8d to
2ada178
Compare
andreabadesso
force-pushed
the
feat/lavamoat
branch
from
2ada178 to
2306201
Compare
andreabadesso
commented
Dec 23, 2024
| @@ -0,0 +1,1383 @@ | |||
| { | |||
There was a problem hiding this comment.
This file is generated by lavamoat automatically (because we have generatePolicy: true in our plugin config). All manual changes are done in the policy-override.json
tuliomir
requested changes
Jan 9, 2025
andreabadesso
force-pushed
the
feat/lavamoat
branch
from
fc421cb to
e8c3382
Compare
tuliomir
approved these changes
Jan 24, 2025
pedroferreira1
approved these changes
Feb 12, 2025
| } | ||
| }); | ||
|
|
||
| config.module.rules.push({ |
There was a problem hiding this comment.
Add comment for this rule also
| "jquery": { | ||
| "globals": { | ||
| "document": true, | ||
| "window": true, |
There was a problem hiding this comment.
When you allow window, does it allow all window.*?
| "document.title": true | ||
| } | ||
| }, | ||
| "unleash-proxy-client": { |
There was a problem hiding this comment.
This is our package, right?
| "console": true, | ||
| "Error": true, | ||
| "Object": true, | ||
| "XMLHttpRequest": true, |
There was a problem hiding this comment.
We send requests only through axios. Does it make sense to remove this and allow only in axios?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Add LavaMoat to protect against supply chain attacks and upgrade react-scripts to version 5.
Description
Added LavaMoat webpack plugin to production builds only. This required upgrading react-scripts from v4 to v5, which in turn required several changes:
Added react-app-rewired to customize the webpack config (and add the lavamoat plugin)
Added polyfills that were removed in react-scripts v5:
Created buffer-shim.js to handle Buffer compatibility issues in the elliptic package
Updated imports in our code to use browserify versions (e.g. path -> path-browserify)
Acceptance Criteria
LavaMoat runs only in production builds as
@lavamoat/webpackis missing a hookDevelopment builds work without LavaMoat
All functionality remains unchanged with lavamoat and react-scripts v5 activated
Make sure you do not include new dependencies in the project unless strictly necessary and do not include dev-dependencies as production ones. More dependencies increase the possibility of one of them being hijacked and affecting us.