Description

The Using a custom Hermes build in a React Native app documentation section hasn't been updated in a while. It dates back to the time when Hermes was shipped through a separate NPM package. But since the changes documented in Bundled Hermes occurred, this is no longer true and Hermes is bundled together with the react-native package. It isn't clear how it would be possible to run our application using a custom Hermes build.

Context about this request: we're running a security-sensitive RN app, so we'd like to apply some security hardening patches on top of the upstream Hermes version. But it's unclear how we'd be able to do this.

CC @cortinico

IIRC, there is a way to tell RN to build Hermes from a different directory. I don't remember the details, but someone will probably chime in here.

BTW (and I don't know whether that is your use case), Hermes should not be used to run untrusted JS. For untrusted JS we have a security sandbox (which will make its way to GitHub soon).

Hey @matias-la, we've recently discussed this in facebook/react-native#38658. You should be able to follow the steps there to get Hermes building from source.

Thanks! We ended up using an approach similar to REACT_NATIVE_OVERRIDE_HERMES_DIR, but patching react-native so it downloads the source from a trusted source and verifies its integrity. Seems to be working fine for now.