npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

lavamoat-browserify

v18.1.2

Published

browserify plugin for sandboxing dependencies with LavaMoat

Downloads

5,620

Readme

LavaMoat Browserify - a Browserify Plugin for creating LavaMoat-protected builds

Warning experimental, under development, has not been audited, etc**

lavamoat-browserify is a browserify plugin for generating app bundles protected by LavaMoat, where modules are defined in SES containers. It aims to reduce the risk of malicious code in the app dependency graph, known as "software supplychain attacks".

For an overview of LavaMoat tools see the main README.

Anatomy of a LavaMoat bundle

The lavamoat-browserify plugin replaces the last internal build step of the browserify compiler pipeline. This step takes all the modules and their metadata and outputs the final bundle content, including the LavaMoat kernel. It also generates the LavaMoat policy file.

LavaMoat builds differ from standard browserify builds in that they:

  1. Uses lockdown() from SES to prevent tampering with the execution environment. Thanks to lockdown, prototype-pollution attacks are neutralized. It's also a prerequisite to code isolation.
  2. Uses SES Compartments to isolate each package's execution. Packages don't share references to anything unless explicitly passed in or allowed by policy. Custom LavaMoat kernel handles the require() calls in the resulting bundle. When required, a module is initialized, usually by evaluation inside a SES container.
  3. Enforces the app-specified LavaMoat policy. The policy specifies what execution environment each package should run with, which means: what global/builtin APIs should it be exposed to, and what other packages can it require/import.

The result is a bundle that should work just as before, but provides some protection against supplychain attacks.

Example

Create a file, index.js with some requires.

const foo = require('./foo.js');
const gamma = require('gamma');

const elem = document.getElementById('result');
const x = foo(100);
elem.textContent = x;

Now use the browserify command with lavamoat as a plugin to build a lavamoat-protected bundle starting at index.js:

$ browserify index.js --plugin [ lavamoat-browserify --autopolicy ]

All of the modules that index.js needs are included in the bundle.js as strings to be evaluated inside SES containers. A lavamoat policy object is generated from a recursive walk of the require() graph and injected into the bundle (via --autopolicy), which is also written to disk at ./lavamoat/browserify/policy.json. Commit this policy file and regenerate it when your dependencies change and you agree with them.

Note You should review the diff in regenerated policy for suspicious changes, e.g. a simple maths package getting access to fetch or document

Warning Do not edit the autogenerated policy.json directly. It will be overwritten if a new bundle is created using LavaMoat. Instead, edit the policy-override.json.

See Policy file explained for details on the policy file definition.

To use this bundle, just toss a into your html, as per the official browserify documentation.

Be sure to use the same Browserify configuration (eg. plugins and transforms like babelify) that you normally use, so that it can parse the code as it will appear in your final bundle.

Install

Before you use lavamoat runtime protections, make sure you've set up allow-scripts and install dependencies using that setup.

Use one of:

yarn add -D browserify lavamoat-browserify
npm i -D browserify lavamoat-browserify
npm i --ignore-scripts -g browserify lavamoat-browserify

Usage

Usage: browserify [entry files] {BROWSERIFY OPTIONS} --plugin [ lavamoat-browserify {OPTIONS} ]

Options:

 --autopolicy, -a  Generate a `policy.json` and `policy-override.json` in the current
                   working directory. Overwrites any existing policy files. The override policy is for making manual policy changes and always takes precedence over the automatically generated policy.

     --policy, -p  Pass in policy. Accepts a policy object {} or a filepath string to the existing
                   policy. When used in conjunction with --autopolicy, specifies where to write the policy. Default: ./lavamoat/browserify/policy.json

   --override, -o  Pass in override policy. Accepts a policy object {} or a filepath string to the
                   existing override policy. Default: ./lavamoat/browserify/policy-override.json

Advanced Options:

    --prelude, -pr  Omit the lavamoat prelude from the bundle.

--prunepolicy, -pp Remove redundant package entries from the policy.

--debugpolicy, -dp Generate a `policy-debug.json` in the current working directory. Used for the
                   lavamoat visualisation tool.

      --debug, -d  Turn on extra logging for debugging.

       --help, -h  Show this message

More Examples

Run with Policy

This uses the existing policy files to generate a bundle.

$ browserify index.js --plugin [ lavamoat-browserify ]

Automatically searches for policy files inside ./lavamoat/browserify/.

Policy Override with Relative Path

This uses the override policy specified at ./policies/policy-override.json to generate a new bundle.

$ browserify index.js --plugin [ lavamoat-browserify --override './policies/policy-override.json' ]

browserify API

Create a browserify bundle with LavaMoat directly from the API and write it to bundle.js.

const browserify = require('browserify')
const fs = require('fs')

const lavamoatOpts = {
  policy: '../../policy.json',
  override: '../../policy-override.json',
  writeAutoPolicyDebug: true,
  prunePolicy: true,
}

const bundler = browserify(['./index.js'], {
  plugin: [['lavamoat-browserify', lavamoatOpts]],
})

bundler.bundle().pipe(fs.createWriteStream('./bundle.js'))

Policy Formats

Policy as an object

const lavamoatOpts = {
  policy: {
    resources: {
      'dependency-name': {
        packages: {
          react: true,
        },
      },
    },
  },
}

Policy as a function, must return a file path or an object:

const lavamoatOpts = {
  policy: () => './lavamoat/policy.json',
}

OR

const policyObject = {
  resources: {
    'dependency-name': {
      packages: {
        react: true,
      },
    },
  },
}
const lavamoatOpts = {
  policy: () => policyObject,
}

See lavamoat-browserify examples for more usage examples.

See Policy file explained for details on the policy file definition.