feat: support lavamoat webpack plugin #30134
Conversation
needs to be brough out of the webpack-processing pipeline in order for ses not to trip up on its own `eval`s
…ry, first steps in resolving who runs lockdown
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
|
New dependencies detected. Learn more about Socket for GitHub ↗︎
|
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is new author?A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package. Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. What is obfuscated code?Obfuscated files are intentionally packed to hide their behavior. This could be a sign of malware. Packages should not obfuscate their code. Consider not using packages with obfuscated code. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| generatePolicy: true, | ||
| runChecks: true, // Candidate to disable later for performance. useful in debugging invalid JS errors, but unless the audit proves me wrong this is probably not improving security. | ||
| readableResourceIds: true, | ||
| inlineLockdown: /^runtime|contentscript\.js/u, |
Check failure
Code scanning / CodeQL
Missing regular expression anchor High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to ensure that both parts of the regular expression are properly anchored. This can be done by using non-capturing groups and applying the ^ anchor to both alternatives. The corrected regular expression should be /^(runtime|contentscript\.js)/u.
| @@ -191,3 +191,3 @@ | ||
| readableResourceIds: true, | ||
| inlineLockdown: /^runtime|contentscript\.js/u, | ||
| inlineLockdown: /^(runtime|contentscript\.js)/u, | ||
| unlockedChunksUnsafe: /inpage\.js/u, |
|
Update:
|
|
Update:
|
weizman
force-pushed
the
webpack-lavamoat-new
branch
from
79d1b01 to
13c545d
Compare
weizman
force-pushed
the
webpack-lavamoat-new
branch
from
13c545d to
cb6fbb0
Compare
weizman
force-pushed
the
webpack-lavamoat-new
branch
from
cb6fbb0 to
60239a4
Compare
weizman
changed the title
This PR focuses on preparing webpack plugin to work well with MetaMask effort to integrate it (see LavaMoat/LavaMoat#1526).
In order to do that, I had to:
These make it so that when integrated with the MetaMask PR, compilation and execution of the app works well