Security Laboratory
Endo
“Quadruple backflip” has landed and was released. We’re looking into introducing the new version of SES into LavaMoat.
https://github.com/endojs/endo/pull/1293 https://github.com/endojs/endo/releases/tag/ses%400.17.0
Meanwhile, we’re also working on introducing LavaMoat-style policies to Endo to allow granular control of powers per package. Current proof of concept allows listing globals and builtins, where builtins can be programmatically attenuated (limited in API or functionality).
LavaMoat
Latest release of @lavamoat/allow-scripts now supports configuring Yarn3 based projects out of the box, with more improvements pending.
We’ve introduced a programmatic API to lavamoat so now with require('lavamoat') it can be used from within a node application or script, not only as a command.
We’ve introduced scuttling of globals — global powers are being captured for endowing according to the policy and then the original global references are being removed so it’s harder for the end user to accidentally pass an indirect reference to them to a package.
We’re very close to providing a protection against the recent hack devised by our friends at socket.dev — https://socket.dev/blog/npm-bin-script-confusion
🤩Usable Security in Web3 😎
We had a blast seeing everyone at Devcon! Watch Antonela rock the main stage with this talk how to balance security and usability in product design.
Stay tuned, because we’re going to be sharing the LavaMoat talk Kumavis gave next time. Here’s a sneak peak…
Using LavaMoat To Solve Software Supply Chain Security
But if you can’t wait that long, you can read all about it here!
What is a realm in JavaScript?
We’re also proud to share this deep dive from Gal on the ecosystems in which a JavaScript programs live. Check it out
Last but definitely not least, the MetaMask community team lead this awesome security 101 call that had over 4000 attendees! Watch it for yourself, and share it with your friends.
