blockworks-foundation
/
mango-v4-ui
mirror of https://github.com/blockworks-foundation/mango-v4-ui.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #73 from blockworks-foundation/silas/supplychain-sec 

Supply chain hardening
This commit is contained in:
tylersssss 2023-01-28 13:37:38 -05:00 committed by GitHub
parent ba665fd066 28783bbe5b
commit 70aea14f5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 1355 additions and 863 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.github/workflows/ci-code-review-ts.yml vendored
View File

@ -1,23 +0,0 @@
name: Code Review - TypeScript
on:
pull_request:
branches: ['main']
push:
jobs:
semgrep:
name: Code Scan
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout code
uses: actions/checkout@v3
- run: semgrep ci --exclude 'public/charting_library'
env:
SEMGREP_RULES: p/typescript

45
.github/workflows/ci-dependency-scan.yml → .github/workflows/ci-code-review.yml vendored
View File

@ -1,15 +1,49 @@
name: Dependency Security Scan
name: Code Review
on:
pull_request:
pull_request:
branches: ['main']
push:
jobs:
trivy:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'yarn'
- name: Check dep dupes
run: yarn ci-dupe-check
- name: Install dependencies
run: yarn ci
- name: Build
run: yarn build
semgrep:
name: Code Scan
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- name: Checkout code
uses: actions/checkout@v3
- run: semgrep ci --exclude 'public/charting_library'
env:
SEMGREP_RULES: p/typescript
sca:
name: Dependency Scan
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout code
uses: actions/checkout@v3
@ -21,9 +55,8 @@ jobs:
scan-type: 'fs'
ignore-unfixed: true
hide-progress: true
security-checks: 'vuln' # disable secrets scanning until public
format: 'table'
# Fail the job on critical vulnerabiliies with fix available
- name: Fail on critical vulnerabilities
uses: aquasecurity/trivy-action@master

2
.husky/pre-commit
View File

@ -1,4 +1,4 @@
#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"
yarn typecheck && yarn lint --quiet
yarn format && yarn typecheck && yarn lint --quiet

2
.yarnrc Normal file
View File

@ -0,0 +1,2 @@
ignore-scripts true
--add.exact true

1
.yarnrc.yml Normal file
View File

@ -0,0 +1 @@
enableScripts: false

18
README.md
View File

@ -1,5 +1,23 @@
This is a [Next.js](https://nextjs.org/) project bootstrapped with [`create-next-app`](https://github.com/vercel/next.js/tree/canary/packages/create-next-app).
## Dependency Management
When updating dependencies, there are various files that must be kept up-to-date. Newly added, or updated dependencies can introduce unwanted/malicious scripts that can introduce risks for users and/or developers. The `lavamoat allow-scripts` feature allows us to deny by default, but adds some additional steps to the usual workflow.
`yarn.lock`:
- Instead of running `yarn` or `yarn install`, run `yarn setup` to ensure the `yarn.lock` file is in sync and that dependency scripts are run according to the `allowScripts` policy (set in `packages.json`)
- If `lavamoat` detects new scripts that are not explicitely allowed/denied, it'll throw and error with details (see below)
- Running `yarn setup` will also dedupe the `yarn.lock` file to reduce the dependency tree. Note CI will fail if there are dupes in `yarn.lock`!
The `allowScripts` configuration in `package.json`:
- There are two ways to configure script policies:
1. Update the allow-scripts section manually by adding the missing package in the `allowScripts` section in `package.json`
2. Run `yarn allow-scripts auto` to update the `allowScripts` configuration automatically
- Review each new package to determine whether the install script needs to run or not, testing if necessary.
- Use `npx can-i-ignore-scripts` to help assessing whether scripts are needed
## Getting Started
First, run the development server:

134
package.json
View File

@ -3,9 +3,14 @@
"version": "0.1.0",
"private": true,
"scripts": {
"setup": "yarn install && npx yarn-deduplicate && yarn allow-scripts && yarn bigint-fix",
"ci": "yarn install --frozen-lockfile --network-concurrency 1 --color=always && yarn allow-scripts && yarn bigint-fix",
"ci-dupe-check": "npx yarn-deduplicate --list --fail",
"bigint-fix": "cd node_modules/bigint-buffer && yarn rebuild && cd ../../",
"dev": "rm -rf .next && next dev",
"build": "next build",
"start": "next start",
"format": "prettier --check .",
"lint": "next lint",
"typecheck": "tsc",
"prepare": "husky install",
@ -13,45 +18,45 @@
},
"dependencies": {
"@blockworks-foundation/mango-v4": "https://github.com/blockworks-foundation/mango-v4.git#ts-client",
"@headlessui/react": "^1.6.6",
"@heroicons/react": "^2.0.10",
"@headlessui/react": "1.6.6",
"@heroicons/react": "2.0.10",
"@project-serum/anchor": "0.25.0",
"@solana/wallet-adapter-base": "^0.9.18",
"@solana/wallet-adapter-react": "^0.15.24",
"@solana/wallet-adapter-wallets": "^0.19.5",
"@solflare-wallet/pfp": "^0.0.6",
"@tanstack/react-query": "^4.10.1",
"@tippyjs/react": "^4.2.6",
"@types/howler": "^2.2.7",
"@types/lodash": "^4.14.185",
"assert": "^2.0.0",
"axios": "^1.2.0",
"big.js": "^6.2.1",
"clsx": "^1.2.1",
"date-fns": "^2.29.3",
"dayjs": "^1.11.3",
"decimal.js": "^10.4.0",
"howler": "^2.2.3",
"html-react-parser": "^3.0.4",
"immer": "^9.0.12",
"klinecharts": "^8.6.3",
"lodash": "^4.17.21",
"next": "^13.0.0",
"next-i18next": "^11.1.1",
"next-themes": "^0.1.1",
"process": "^0.11.10",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"react-flip-numbers": "^3.0.5",
"react-grid-layout": "^1.3.4",
"react-nice-dates": "^3.1.0",
"react-number-format": "^4.9.2",
"react-tsparticles": "^2.2.4",
"react-window": "^1.8.7",
"recharts": "^2.1.14",
"tsparticles": "^2.2.4",
"walktour": "^5.1.1",
"zustand": "^4.1.3"
"@solana/wallet-adapter-base": "0.9.18",
"@solana/wallet-adapter-react": "0.15.24",
"@solana/wallet-adapter-wallets": "0.19.5",
"@solflare-wallet/pfp": "0.0.6",
"@tanstack/react-query": "4.10.1",
"@tippyjs/react": "4.2.6",
"@types/howler": "2.2.7",
"@types/lodash": "4.14.185",
"assert": "2.0.0",
"axios": "1.2.4",
"big.js": "6.2.1",
"clsx": "1.2.1",
"date-fns": "2.29.3",
"dayjs": "1.11.3",
"decimal.js": "10.4.0",
"howler": "2.2.3",
"html-react-parser": "3.0.4",
"immer": "9.0.12",
"klinecharts": "8.6.3",
"lodash": "4.17.21",
"next": "13.0.0",
"next-i18next": "11.1.1",
"next-themes": "0.1.1",
"process": "0.11.10",
"react": "18.2.0",
"react-dom": "18.2.0",
"react-flip-numbers": "3.0.5",
"react-grid-layout": "1.3.4",
"react-nice-dates": "3.1.0",
"react-number-format": "4.9.2",
"react-tsparticles": "2.2.4",
"react-window": "1.8.7",
"recharts": "2.1.14",
"tsparticles": "2.2.4",
"walktour": "5.1.1",
"zustand": "4.1.3"
},
"peerDependencies": {
"@project-serum/anchor": "0.25.0",
@ -59,24 +64,47 @@
"@solana/web3.js": ">=1.70.1"
},
"devDependencies": {
"@types/big.js": "^6.1.6",
"@lavamoat/allow-scripts": "2.3.0",
"@lavamoat/preinstall-always-fail": "^1.0.0",
"@types/big.js": "6.1.6",
"@types/node": "17.0.23",
"@types/react": "18.0.3",
"@types/react-dom": "18.0.0",
"@types/react-grid-layout": "^1.3.2",
"@types/react-window": "^1.8.5",
"@typescript-eslint/eslint-plugin": "^5.43.0",
"autoprefixer": "^10.4.4",
"eslint": "^8.13.0",
"eslint-config-next": "^13.0.0",
"eslint-config-prettier": "^8.5.0",
"eslint-plugin-react": "^7.29.4",
"eslint-plugin-react-hooks": "^4.4.0",
"husky": "^8.0.1",
"postcss": "^8.4.12",
"prettier": "^2.6.2",
"prettier-plugin-tailwindcss": "^0.1.8",
"tailwindcss": "^3.1.8",
"@types/react-grid-layout": "1.3.2",
"@types/react-window": "1.8.5",
"@typescript-eslint/eslint-plugin": "5.43.0",
"autoprefixer": "10.4.13",
"eslint": "8.13.0",
"eslint-config-next": "13.0.0",
"eslint-config-prettier": "8.5.0",
"eslint-plugin-react": "7.29.4",
"eslint-plugin-react-hooks": "4.4.0",
"husky": "8.0.1",
"postcss": "8.4.12",
"prettier": "2.6.2",
"prettier-plugin-tailwindcss": "0.1.8",
"tailwindcss": "3.1.8",
"typescript": "4.6.3"
},
"resolutions": {
"eslint-config-next/eslint-import-resolver-typescript/tsconfig-paths/json5": "1.0.2"
},
"lavamoat": {
"allowScripts": {
"$root$": true,
"@lavamoat/preinstall-always-fail": false,
"@solana/wallet-adapter-wallets>@solana/wallet-adapter-torus>@toruslabs/solana-embed>@toruslabs/base-controllers>@toruslabs/broadcast-channel>@toruslabs/eccrypto": true,
"@solana/wallet-adapter-wallets>@solana/wallet-adapter-torus>@toruslabs/solana-embed>@toruslabs/base-controllers>@toruslabs/broadcast-channel>@toruslabs/eccrypto>secp256k1": true,
"@solana/wallet-adapter-wallets>@solana/wallet-adapter-torus>@toruslabs/solana-embed>@toruslabs/base-controllers>ethereumjs-util>ethereum-cryptography>secp256k1": true,
"@solana/wallet-adapter-wallets>@solana/wallet-adapter-torus>@toruslabs/solana-embed>@toruslabs/openlogin-jrpc>@toruslabs/openlogin-utils>keccak": true,
"@solana/web3.js>bigint-buffer": false,
"@solana/web3.js>rpc-websockets>bufferutil": true,
"@solana/web3.js>rpc-websockets>utf-8-validate": true,
"@solflare-wallet/pfp>@solana/web3.js>secp256k1": true,
"eslint-config-next>eslint-plugin-jsx-a11y>aria-query>@babel/runtime-corejs3>core-js-pure": false,
"next-i18next>core-js": false,
"react-tsparticles": true,
"tsparticles>tsparticles-engine": true
}
}
}

2
pages/index.tsx
View File

@ -17,7 +17,7 @@ export async function getStaticProps({ locale }: { locale: string }) {
'swap',
'token',
'trade',
'close-account'
'close-account',
])),
},
}

2
pages/swap.tsx
View File

@ -15,7 +15,7 @@ export async function getStaticProps({ locale }: { locale: string }) {
'swap',
'settings',
'trade',
'close-account'
'close-account',
])),
},
}

1989
yarn.lock
View File

File diff suppressed because it is too large Load Diff