LavaMoat VS metamask-extension

Just yesterday I watched a talk [0] at WarsawJS about LavaMoat [1], a set of tools to protect against malicious behaviour from npm dependencies. Guess it’s time to look into it deeper.

[0]: https://naugtur.pl/pres3/lava/2023end.html

[1]: https://github.com/LavaMoat/LavaMoat

You are basically talking about Lavamoat. It provides tooling and policies for SES, which aims to make it into standards.

https://github.com/LavaMoat/LavaMoat

Enter: lavamoat. https://github.com/LavaMoat/LavaMoat

You should check out Lavamoat: https://github.com/LavaMoat/LavaMoat

It attempts to do what you're essentially describing. It was built by the MetaMask team, where supply chain attacks are an obviously huge risk.

I've spent some time trying to get it working in an app, but haven't been able to get it all the way working. It's still pretty beta and not well documented.

And it is happening right now. Github is opening the GitHub Advisory Database to community submissions. Awesome community NodeSecure builds cool things like scanner and js-x-ray. There are also lockfile-lint, LavaMoat, Jfrog-npm-tools (and I am sure there is more).

There is a proposal to add OCAPs on a language level in TC39[0]. There is already a drop-in implementation which already works in both Nodejs and browsers[1].

As a developer who wants to sandbox your own (recursive) dependencies, this is made accessible today in Lavamoat[2]. Basically a package or app can provide a policy manifest specifying which capabilities (e.g. network or filesystem access) should be granted for each dependency. Also comes with a tool that will auto-generate a starting point from your existing dependency tree.

IMO this is the future. Currently it does come with a performance penalty but hopefully this idea will catch on and make it into runtime implementations.

Lavamoat is still marked as "preprod" on npm but talking to the author it's a matter of days or weeks until the first stable release.

[0]: https://news.ycombinator.com/item?id=30703817

[1]: https://github.com/endojs/endo/tree/master/packages/ses

[2]: https://github.com/LavaMoat/LavaMoat

Have an Ethereum wallet, preferably Metamask installed.

A  Metamask Account.

Plenty of projects are source-available, but not open source, and get tons of issues, and even contributions (https://github.com/MetaMask/metamask-extension off the top of my head)

You can create an attestation based on an existing schema or create your own. Schemas define the format in which attestations will be made, and in this case, we will use the Is Human schema to attest that the owner of a certain address is human. For this example, you only need to connect your Metamask wallet (or any wallet) to Scroll Sepolia, then enter the address you want to attest and click Make attestation. You can choose whether you want the off-chain attestation, i.e., free, obtained only by signing a transaction. Alternatively, you can choose to make it on-chain and pay for the transaction to make it public and connect it to smart contract logic. In this case, you will need to obtain funds in Scroll Sepolia through a Scroll Sepolia Faucet.

Metamask (9000 GitHub Stars) https://github.com/MetaMask/metamask-extension

For this tutorial you will need Metamask or other wallet of your choice, with Scroll Sepolia funds that you can get from a Sepolia faucet and then bridge them to L2 using the Scroll Sepolia bridge. Alternatively, you can use a Scroll Sepolia Faucet to get funds directly on L2.

16) Open Metamask app. In this instruction we will use Metamask extension for Chrome browser.

> I get a 3-5 sec lag on launch [0] as it prepares the browser to block ads.

uBO is typically ready in a fraction of second, so "3-5 sec" is not normal. In Firefox all extensions sit in the same process, so it's possible another extension is preventing uBO to be ready in a timely manner, this has happened[1].

[1] https://github.com/MetaMask/metamask-extension/issues/13163