add allow-scripts: improve supply chain security (#1326)

* add lavamoat * update postinstall script * reduce allowed scripts * update readme
2023-01-04 22:05:08 +00:00 · 2023-01-04 22:05:08 +00:00 · fd421fa579
parent ea52d7803d
commit fd421fa579
5 changed files with 100 additions and 4 deletions
--- a/.yarnrc
+++ b/.yarnrc
@ -1,2 +1,3 @@
 --install.frozen-lockfile true
 --add.exact true
+ignore-scripts true
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@ -0,0 +1 @@
+enableScripts: false
--- a/README.md
+++ b/README.md
@ -16,6 +16,19 @@

 - most of the work is in `hooks/useRealm.ts` and `hooks/useVotingPlugins.ts` in the governance-ui. The UI work is in `components/TokenBalance`

+## Changing dependencies
+Whenever you change dependencies (adding, removing, or updating, either in package.json or yarn.lock), there are various files that must be kept up-to-date.
+
+`yarn.lock`:
+- Run yarn again after your changes to ensure yarn.lock has been properly updated.
+- Run `yarn deduplicate` to remove duplicate dependencies from the lockfile.
+
+The `allow-scripts` configuration in `package.json`:
+- Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run.
+- Alternatively update the `allow-scripts` section manually. 
+- Review each new package to determine whether the install script needs to run or not, testing if necessary.
+- Use `npx can-i-ignore-scripts` to help assessing whether scripts are needed
+
 # NextJS Typescript Boilerplate

 Bootstrap a developer-friendly NextJS app configured with:
--- a/package.json
+++ b/package.json
@ -16,7 +16,9 @@
    "test": "jest",
    "test-all": "yarn lint && yarn type-check && yarn test",
    "notifier": "ts-node scripts/governance-notifier.ts",
-    "postinstall": "echo '\\033[35mIf you just added a package, consider running `\\033[1m\\033[36;1mnpx yarn-deduplicate\\033[0m\\033[35m`!\\033[00m'"
+    "setup": "yarn install && yarn allow-scripts",
+    "deduplicate": "npx yarn-deduplicate",
+    "postinstall": "echo '\\033[35mIf you just added a package, consider running `\\033[1m\\033[36;1myarn deduplicate` \\033[0m\\033[35mto check for duplicates!\\033[00m\n \\033[35malso make sure scripts run by new packages are reviewed and added in the allowScripts section. Then run `\\033[1m\\033[36;1myarn allow-scripts\\033[0m\\033[35m`!\\033[00m'"
  },
  "lint-staged": {
    "*.@(ts|tsx|js|jsx)": [
@ -160,6 +162,8 @@
    "zustand": "3.7.2"
  },
  "devDependencies": {
+    "@lavamoat/allow-scripts": "2.3.0",
+    "@lavamoat/preinstall-always-fail": "1.0.0",
    "@notifi-network/notifi-core": "0.18.2",
    "@testing-library/jest-dom": "5.16.4",
    "@testing-library/react": "11.2.5",
@ -227,5 +231,26 @@
    "firefox >= 68",
    "opera >= 54",
    "safari >= 14"
-  ]
+  ],
+  "lavamoat": {
+    "allowScripts": {
+      "$root$": false,
+      "@bundlr-network/client>arbundles>keccak": true,
+      "@bundlr-network/client>arbundles>secp256k1": true,
+      "@carbon/icons-react": false,
+      "@civic/solana-gateway-react>@civic/common-gateway-react>styled-components": false,
+      "@lavamoat/preinstall-always-fail": false,
+      "@sentry/nextjs>@sentry/webpack-plugin>@sentry/cli": false,
+      "@solana/wallet-adapter-torus>@toruslabs/solana-embed>@toruslabs/base-controllers>@toruslabs/broadcast-channel>@toruslabs/eccrypto": true,
+      "@solana/wallet-adapter-torus>@toruslabs/solana-embed>@toruslabs/base-controllers>@toruslabs/broadcast-channel>@toruslabs/eccrypto>secp256k1": true,
+      "@solana/wallet-adapter-torus>@toruslabs/solana-embed>@toruslabs/base-controllers>@toruslabs/broadcast-channel>microtime": true,
+      "@solana/web3.js>bigint-buffer": false,
+      "@solana/web3.js>rpc-websockets>bufferutil": true,
+      "@solana/web3.js>rpc-websockets>utf-8-validate": true,
+      "@switchboard-xyz/switchboard-v2>protobufjs": false,
+      "@testing-library/react>@testing-library/dom>aria-query>@babel/runtime-corejs3>core-js-pure": false,
+      "draft-js>fbjs>core-js": false,
+      "goblingold-sdk": false
+    }
+  }
 }
--- a/yarn.lock
+++ b/yarn.lock
@ -1960,6 +1960,29 @@
    bs58 "^5.0.0"
    uuid "^8.3.2"

+"@lavamoat/aa@^3.1.1":
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/@lavamoat/aa/-/aa-3.1.2.tgz#3e2c0bbff791204bb4dabe96c2486b0c910e1897"
+  integrity sha512-oHKUcSzCDxpICm247dH28no8k0VXURPVOS6jWx7GcoW9XowObqoiWSrX90folzEaaQq9HvO4X2OWvTubUm/0Qg==
+  dependencies:
+    resolve "^1.20.0"
+
+"@lavamoat/allow-scripts@2.3.0":
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/@lavamoat/allow-scripts/-/allow-scripts-2.3.0.tgz#f1bcf4b7c8866a87a17c1c4334f50fd168c9eb4f"
+  integrity sha512-Tp4qQsJ02RPPZwioI+SBrMo8HuUSWpDqGw7vjigioXnFo8k7UITQBwroZ7qUcp8avJSCOgnZDytMawgYbCFpOA==
+  dependencies:
+    "@lavamoat/aa" "^3.1.1"
+    "@npmcli/run-script" "^1.8.1"
+    bin-links "4.0.1"
+    npm-normalize-package-bin "^3.0.0"
+    yargs "^16.2.0"
+
+"@lavamoat/preinstall-always-fail@1.0.0":
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/@lavamoat/preinstall-always-fail/-/preinstall-always-fail-1.0.0.tgz#e78a6e3d9e212a4fef869ec37d4f5fb498dea373"
+  integrity sha512-vD2DcC0ffJj1w2y1Lu0OU39wHmlPEd2tCDW04Bm6Kf4LyRnCHCezTsS8yzeSJ+4so7XP+TITuR5FGJRWxPb+GA==
+
 "@ledgerhq/devices@6.27.1", "@ledgerhq/devices@^6.27.1":
  version "6.27.1"
  resolved "https://registry.yarnpkg.com/@ledgerhq/devices/-/devices-6.27.1.tgz#3b13ab1d1ba8201e9e74a08f390560483978c962"
@ -2663,7 +2686,7 @@
  dependencies:
    infer-owner "^1.0.4"

-"@npmcli/run-script@^1.8.2", "@npmcli/run-script@^1.8.3", "@npmcli/run-script@^1.8.4", "@npmcli/run-script@^1.8.6":
+"@npmcli/run-script@^1.8.1", "@npmcli/run-script@^1.8.2", "@npmcli/run-script@^1.8.3", "@npmcli/run-script@^1.8.4", "@npmcli/run-script@^1.8.6":
  version "1.8.6"
  resolved "https://registry.yarnpkg.com/@npmcli/run-script/-/run-script-1.8.6.tgz#18314802a6660b0d4baa4c3afe7f1ad39d8c28b7"
  integrity sha512-e42bVZnC6VluBZBAFEr3YrdqSspG3bgilyg4nSLBJ7TRGNCzxHa92XAHxQBLYg0BmgwO4b2mf3h/l5EkEWRn3g==
@ -7147,6 +7170,16 @@ bignumber.js@9.0.2, bignumber.js@^8.1.1, bignumber.js@^9.0.0, bignumber.js@^9.0.
  resolved "https://registry.yarnpkg.com/bignumber.js/-/bignumber.js-9.0.2.tgz#71c6c6bed38de64e24a65ebe16cfcf23ae693673"
  integrity sha512-GAcQvbpsM0pUb0zw1EI0KhQEZ+lRwR5fYaAp3vPOYuP7aDvGy6cVN6XHLauvF8SOga2y0dcLcjt3iQDTSEliyw==

+bin-links@4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/bin-links/-/bin-links-4.0.1.tgz#afeb0549e642f61ff889b58ea2f8dca78fb9d8d3"
+  integrity sha512-bmFEM39CyX336ZGGRsGPlc6jZHriIoHacOQcTt72MktIjpPhZoP4te2jOyUXF3BLILmJ8aNLncoPVeIIFlrDeA==
+  dependencies:
+    cmd-shim "^6.0.0"
+    npm-normalize-package-bin "^3.0.0"
+    read-cmd-shim "^4.0.0"
+    write-file-atomic "^5.0.0"
+
 bin-links@^2.2.1:
  version "2.3.0"
  resolved "https://registry.yarnpkg.com/bin-links/-/bin-links-2.3.0.tgz#1ff241c86d2c29b24ae52f49544db5d78a4eb967"
@ -7844,6 +7877,11 @@ cmd-shim@^4.0.1:
  dependencies:
    mkdirp-infer-owner "^2.0.0"

+cmd-shim@^6.0.0:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/cmd-shim/-/cmd-shim-6.0.1.tgz#a65878080548e1dca760b3aea1e21ed05194da9d"
+  integrity sha512-S9iI9y0nKR4hwEQsVWpyxld/6kRfGepGfzff83FcaiEBpmvlbA2nnGe7Cylgrx2f/p1P5S5wpRm9oL8z1PbS3Q==
+
 co@^4.6.0:
  version "4.6.0"
  resolved "https://registry.yarnpkg.com/co/-/co-4.6.0.tgz#6ea6bdf3d853ae54ccb8e47bfa0bf3f9031fb184"
@ -13366,6 +13404,11 @@ npm-normalize-package-bin@^1.0.0, npm-normalize-package-bin@^1.0.1:
  resolved "https://registry.yarnpkg.com/npm-normalize-package-bin/-/npm-normalize-package-bin-1.0.1.tgz#6e79a41f23fd235c0623218228da7d9c23b8f6e2"
  integrity sha512-EPfafl6JL5/rU+ot6P3gRSCpPDW5VmIzX959Ob1+ySFUuuYHWHekXpwdUZcKP5C+DS4GEtdJluwBjnsNDl+fSA==

+npm-normalize-package-bin@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/npm-normalize-package-bin/-/npm-normalize-package-bin-3.0.0.tgz#6097436adb4ef09e2628b59a7882576fe53ce485"
+  integrity sha512-g+DPQSkusnk7HYXr75NtzkIP4+N81i3RPsGFidF3DzHd9MT9wWngmqoeg/fnHFz5MNdtG4w03s+QnhewSLTT2Q==
+
 npm-package-arg@^8.0.0, npm-package-arg@^8.0.1, npm-package-arg@^8.1.0, npm-package-arg@^8.1.1, npm-package-arg@^8.1.2, npm-package-arg@^8.1.5:
  version "8.1.5"
  resolved "https://registry.yarnpkg.com/npm-package-arg/-/npm-package-arg-8.1.5.tgz#3369b2d5fe8fdc674baa7f1786514ddc15466e44"
@ -15095,6 +15138,11 @@ read-cmd-shim@^2.0.0:
  resolved "https://registry.yarnpkg.com/read-cmd-shim/-/read-cmd-shim-2.0.0.tgz#4a50a71d6f0965364938e9038476f7eede3928d9"
  integrity sha512-HJpV9bQpkl6KwjxlJcBoqu9Ba0PQg8TqSNIOrulGt54a0uup0HtevreFHzYzkm0lpnleRdNBzXznKrgxglEHQw==

+read-cmd-shim@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/read-cmd-shim/-/read-cmd-shim-4.0.0.tgz#640a08b473a49043e394ae0c7a34dd822c73b9bb"
+  integrity sha512-yILWifhaSEEytfXI76kB9xEEiG1AiozaCJZ83A87ytjRiN+jVibXjedjCRNjoZviinhG+4UkalO3mWTd8u5O0Q==
+
 read-package-json-fast@^2.0.1, read-package-json-fast@^2.0.2, read-package-json-fast@^2.0.3:
  version "2.0.3"
  resolved "https://registry.yarnpkg.com/read-package-json-fast/-/read-package-json-fast-2.0.3.tgz#323ca529630da82cb34b36cc0b996693c98c2b83"
@ -17370,6 +17418,14 @@ write-file-atomic@^4.0.1:
    imurmurhash "^0.1.4"
    signal-exit "^3.0.7"

+write-file-atomic@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/write-file-atomic/-/write-file-atomic-5.0.0.tgz#54303f117e109bf3d540261125c8ea5a7320fab0"
+  integrity sha512-R7NYMnHSlV42K54lwY9lvW6MnSm1HSJqZL3xiSgi9E7//FYaI74r2G0rd+/X6VAMkHEdzxQaU5HUOXWUz5kA/w==
+  dependencies:
+    imurmurhash "^0.1.4"
+    signal-exit "^3.0.7"
+
 ws@7.4.6:
  version "7.4.6"
  resolved "https://registry.yarnpkg.com/ws/-/ws-7.4.6.tgz#5654ca8ecdeee47c33a9a4bf6d28e2be2980377c"
@ -17463,7 +17519,7 @@ yargs-unparser@2.0.0:
    flat "^5.0.2"
    is-plain-obj "^2.1.0"

-yargs@16.2.0:
+yargs@16.2.0, yargs@^16.2.0:
  version "16.2.0"
  resolved "https://registry.yarnpkg.com/yargs/-/yargs-16.2.0.tgz#1c82bf0f6b6a66eafce7ef30e376f49a12477f66"
  integrity sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw==