feat: lavamoat #712

andreabadesso · 2024-12-23T14:01:22Z

Motivation

Add LavaMoat to protect against supply chain attacks and upgrade react-scripts to version 5.

Description

Added LavaMoat webpack plugin to production builds only. This required upgrading react-scripts from v4 to v5, which in turn required several changes:

Added react-app-rewired to customize the webpack config (and add the lavamoat plugin)
Added polyfills that were removed in react-scripts v5
Created buffer-shim.js to handle Buffer compatibility issues in the elliptic package
Updated imports in our code to use browserify versions (e.g. path -> path-browserify)

Acceptance Criteria

LavaMoat runs only in production builds as @lavamoat/webpack is missing a hook
Development builds work without LavaMoat
All functionality remains unchanged with lavamoat and react-scripts v5 activated
Make sure you do not include new dependencies in the project unless strictly necessary and do not include dev-dependencies as production ones. More dependencies increase the possibility of one of them being hijacked and affecting us.

andreabadesso · 2024-12-23T14:24:02Z

lavamoat/webpack/policy.json

@@ -0,0 +1,1383 @@
+{


This file is generated by lavamoat automatically (because we have generatePolicy: true in our plugin config). All manual changes are done in the policy-override.json

config-overrides.js

lavamoat/webpack/policy-override.json

package.json

patches/elliptic++bn.js+4.12.0.patch

src/components/ModalPin.js

src/store/index.js

src/utils/helpers.js

config-overrides.js

lavamoat/webpack/policy-override.json

pedroferreira1

Waiting dependencies review

package.json

config-overrides.js

tuliomir · 2025-02-27T14:17:15Z

.github/workflows/main.yml

+    - name: Install ttag-cli globally
+      run: npm install -g ttag-cli


question(non-blocking): Why do we need to install it globally?

andreabadesso added 11 commits December 23, 2024 10:47

feat: pgs

2a86288

feat: working react-app-rewired

704d089

chore: generating policy

a16df67

feat: added lockdown and config overrides adding ses

991441c

chore: lavamoat policy overrides working

61f6365

chore: using path-browserify

828ec61

chore: build passing

8fcceab

fix: axios failing to be imported

c6296ba

fix: Buffer missing from bitcore-lib

fe6071a

fix: global modal not showing sometimes

c1ad57e

chore: upgrade nodejs to v22

915421e

andreabadesso requested a review from pedroferreira1 as a code owner December 23, 2024 14:01

andreabadesso added 5 commits December 23, 2024 11:03

chore: using fixed versions

205b123

chore: stop hardcoding debugMode and removed process

a79fc09

chore: better pin modal

786ac3b

refactor: using path-browserify in transaction details

b4be97e

refactor: using path-browserify in helpers

944b6c1

andreabadesso force-pushed the feat/lavamoat branch 2 times, most recently from c39da8d to 2ada178 Compare December 23, 2024 14:07

refactor: removed walletconnect references

2306201

andreabadesso force-pushed the feat/lavamoat branch from 2ada178 to 2306201 Compare December 23, 2024 14:18

andreabadesso commented Dec 23, 2024

View reviewed changes

chore: only add lavamoat in production builds

780a778

andreabadesso self-assigned this Dec 23, 2024

andreabadesso added the enhancement New feature or request label Dec 23, 2024

andreabadesso changed the title ~~feat: LavaMoat~~ feat: lavamoat Dec 23, 2024

andreabadesso added 2 commits December 23, 2024 13:25

chore: watch-css on start script

7b8bc73

chore: update lavamoat policy

9f841f9

andreabadesso requested a review from tuliomir December 23, 2024 16:35

tuliomir requested changes Jan 9, 2025

View reviewed changes

refactor: modal title id

ea644ef

tuliomir previously approved these changes Jan 24, 2025

View reviewed changes

pedroferreira1 previously approved these changes Feb 12, 2025

View reviewed changes

config-overrides.js Show resolved Hide resolved

lavamoat/webpack/policy-override.json Show resolved Hide resolved

lavamoat/webpack/policy-override.json Show resolved Hide resolved

lavamoat/webpack/policy-override.json Outdated Show resolved Hide resolved

pedroferreira1 reviewed Feb 12, 2025

View reviewed changes

andreabadesso dismissed stale reviews from pedroferreira1 and tuliomir via eec7214 February 24, 2025 18:16

andreabadesso force-pushed the feat/lavamoat branch 2 times, most recently from 65abf08 to b3b2e5e Compare February 24, 2025 18:34

tuliomir mentioned this pull request Feb 24, 2025

feat: Upgrades react-scripts to v5 HathorNetwork/hathor-explorer#386

Open

1 task

andreabadesso force-pushed the feat/lavamoat branch from b3b2e5e to 73595cf Compare February 24, 2025 18:50

refactor: removed most of the polyfills from config-overrides

9631ec1

andreabadesso force-pushed the feat/lavamoat branch from 73595cf to 9631ec1 Compare February 24, 2025 18:52

andreabadesso added 2 commits February 24, 2025 15:54

docs: added a comment on mjs module resolution

110225e

refactor: removed XMLHttpRequest from the wallet-lib lavamoat override

1df1ef9

andreabadesso requested review from pedroferreira1 and tuliomir February 24, 2025 19:06

pedroferreira1 previously approved these changes Feb 25, 2025

View reviewed changes

package.json Outdated Show resolved Hide resolved

andreabadesso dismissed pedroferreira1’s stale review via 77db504 February 26, 2025 13:24

andreabadesso force-pushed the feat/lavamoat branch from 77db504 to 14de471 Compare February 26, 2025 13:41

chore: fix failing check pot script

e473bdf

andreabadesso force-pushed the feat/lavamoat branch from 14de471 to e473bdf Compare February 26, 2025 13:55

andreabadesso added 3 commits February 26, 2025 11:01

chore: stdlib is a dev dependency and not polyfilling vm

3c68161

chore: update locale

893324c

chore: ignoring scripts on cypress

9b966af

andreabadesso force-pushed the feat/lavamoat branch from 73ca38e to 9b966af Compare February 26, 2025 14:17

chore: installing libusb instead of ignoring scripts

e214d16

andreabadesso requested a review from pedroferreira1 February 26, 2025 16:11

pedroferreira1 approved these changes Feb 26, 2025

View reviewed changes

config-overrides.js Show resolved Hide resolved

Merge branch 'master' into feat/lavamoat

870b478

tuliomir approved these changes Feb 27, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: lavamoat #712

feat: lavamoat #712

andreabadesso commented Dec 23, 2024 •

edited

Loading

andreabadesso Dec 23, 2024

pedroferreira1 left a comment

tuliomir Feb 27, 2025

		- name: Install ttag-cli globally
		run: npm install -g ttag-cli

feat: lavamoat #712

Are you sure you want to change the base?

feat: lavamoat #712

Conversation

andreabadesso commented Dec 23, 2024 • edited Loading

Motivation

Description

Acceptance Criteria

andreabadesso Dec 23, 2024

Choose a reason for hiding this comment

pedroferreira1 left a comment

Choose a reason for hiding this comment

tuliomir Feb 27, 2025

Choose a reason for hiding this comment

andreabadesso commented Dec 23, 2024 •

edited

Loading