I run code from the Internet!
π©οΈ
@naugtur, 2023
Hello, we've found a malicious package version
in your dependencies thatβ¦
you've been shipping to production for a week.
- npm audit
This new package looks odd. Got time to read it?
- socket.dev
## Let's install
## that build tool
#### yo, there's an app for that!
```
package.json:
"scripts": {
"generate-policy": "lavamoat build.js --auto",
"build": "lavamoat build.js",
```
---
#### the policy
```js
./lavamoat/node/policy.json:
"that-eslint-plugin>evil-dependency": {
"builtin": {
"https.request": true
},
"globals": {
"process.env": true
},
```
---
#### the policy
```js
./lavamoat/node/policy.json:
"that-eslint-plugin>evil-dependency": {
"builtin": {
"https": false
},
"globals": {
"process": false
},
```
---
```
$ npm run build
Error: LavaMoat - required node builtin package not in
allowlist: package "evil-dependency" requested "https"
TypeError: Cannot read properties of undefined
(reading 'env')
```
# (β―Β°β‘Β°)β―οΈ΅ β»ββ»
# how ?!
### There's also a bundler
1. browserify based
2. webpack plugin (in BETA)
Wanna help with the plugin?
#### Open Beta hub here:
[https://github.com/LavaMoat/LavaMoat/discussions/723](https://github.com/LavaMoat/LavaMoat/discussions/723)
### Want to know more?
[Earlier talk with more SES details](https://www.youtube.com/watch?v=Qjeh7Qo2u28)
[Mark Miller on F5 Tech Talks](https://www.youtube.com/watch?v=u-XETUbxNUU)
### But I promised I'll
