LavaMoat – Tools for sandboxing your dependency graph
7 days ago
- #Supply Chain Attacks
- #LavaMoat
- #JavaScript Security
- LavaMoat is a suite of tools designed to protect JavaScript projects from software supply chain attacks.
- These attacks occur when malicious dependencies infiltrate an application, potentially stealing sensitive data or creating vulnerabilities.
- The cryptocurrency ecosystem has already been affected by such attacks, posing risks to developers and users.
- LavaMoat aims to enhance security at various stages of the software lifecycle: installation, build time, and runtime.
- Key features include disabling unauthorized dependency lifecycle scripts and running applications in secure environments.
- LavaMoat's allow-scripts tool prevents unexpected execution of install scripts, a common attack vector.
- The runtime protection includes preventing modifications to JavaScript primordials and restricting platform API access per package.
- SES (Secure ECMAScript) is the sandbox technology underpinning LavaMoat's security measures.
- LavaMoat can be used with Node.js for server-side protection and with browser bundlers for client-side applications.
- Advanced features like scuttling offer additional security but require careful consideration before use.
- LavaMoat is developed by MetaMask, funded by ConsenSys, and runs on Agoric's platform.