Update documentation on using custom Hermes builds
matias-la opened this issue · comments
Description
The Using a custom Hermes build in a React Native app documentation section hasn't been updated in a while. It dates back to the time when Hermes was shipped through a separate NPM package. But since the changes documented in Bundled Hermes occurred, this is no longer true and Hermes is bundled together with the react-native package. It isn't clear how it would be possible to run our application using a custom Hermes build.
Context about this request: we're running a security-sensitive RN app, so we'd like to apply some security hardening patches on top of the upstream Hermes version. But it's unclear how we'd be able to do this.
CC @cortinico
IIRC, there is a way to tell RN to build Hermes from a different directory. I don't remember the details, but someone will probably chime in here.
BTW (and I don't know whether that is your use case), Hermes should not be used to run untrusted JS. For untrusted JS we have a security sandbox (which will make its way to GitHub soon).
Hey @matias-la, we've recently discussed this in facebook/react-native#38658. You should be able to follow the steps there to get Hermes building from source.
Thanks! We ended up using an approach similar to REACT_NATIVE_OVERRIDE_HERMES_DIR
, but patching react-native so it downloads the source from a trusted source and verifies its integrity. Seems to be working fine for now.