NOTE: under rapid develop, not ready for production use, has not been audited, etc
lavamoat-browserify is a browserify plugin for generating app bundles protected by LavaMoat, where modules are defined in SES containers. It aims to reduce the risk of "software supplychain attacks", malicious code in the app dependency graph.
The lavamoat-browserify plugin replaces the last internal build step of the compiler pipeline. This step takes all the modules and their metadata and outputs the final bundle content, including the kernel and LavaMoat config.
LavaMoat builds differ from standard browserify builds in that they:
- include the app-specified LavaMoat configuration
This tells the kernel what execution environment each module should be instantiated with, and what other modules may be brought in as dependencies
- use a custom LavaMoat kernel
This kernel enforces the LavaMoat config. When requested, a module is initialized, usually by evaluation inside a SES container. The kernel also protects the module's exports from modification via a strategy provided in the config such as SES hardening, deep copies, or copy-on-write views.
- bundle the module sources as strings
Modules are SES eval'd with access only to the platform APIs specificied in the config.
The result is a bundle that should work just as before, but provides some protection against supplychain attacks.
see lavamoat-browserify-examples for usage examples
There are two phases for using the browserify-lavamoat plugin.
LavaMoat can auto generate a working config for you by parsing your dependencies. You should be sure to use the same browserify configuration (eg. plugins and transforms like babelify) that you normally use, so that it can parse the code as it will appear in your final bundle. Ignore the output of this command.
build with lavamoat-browserify, including a reference to the generated config file
Introduction to LavaMoat
