Skip to content

chore(linea-ens-contracts): add lavamoat allow-scripts #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(linea-ens-contracts): add lavamoat allow-scripts #348

wants to merge 1 commit into from

Conversation

@witmicko
Copy link
Collaborator

@witmicko witmicko commented Oct 15, 2025
edited
Loading

Summary

Add @lavamoat/allow-scripts across the workspace to mitigate the risk of executing unexpected lifecycle scripts from transitive dependencies.
Lavamoat allow-scripts does not affect runtime. Lavamoat at runtime is a separate integration

Motivation

npm lifecycle scripts can run arbitrary code during install. @lavamoat/allow-scripts enforces an explicit allowlist so only vetted scripts execute, reducing supply‑chain attack surface.

What changed

  • Add @lavamoat/allow-scripts at the root and wire it into installs.
  • Generate and commit per‑package allowScripts allowlists via allow-scripts auto.
  • No runtime code changes.

Security considerations

  • Narrows the set of install-time scripts to an audited allowlist.

Note

Introduces LavaMoat allow-scripts and disables lifecycle scripts for packages/linea-ens-contracts, adding an explicit allowlist policy to block install-time scripts from transitive deps.

  • Install-time hardening:
    • Disable lifecycle scripts via Yarn config in packages/linea-ens-contracts/.yarnrc and .yarnrc.yml.
    • Add devDeps @lavamoat/allow-scripts and @lavamoat/preinstall-always-fail in packages/linea-ens-contracts/package.json.
    • Define lavamoat.allowScripts policy in package.json to deny install scripts for specified transitive packages.

Written by Cursor Bugbot for commit cc74d87. This will update automatically on new commits. Configure here.

@witmicko witmicko requested a review from a team as a code owner October 15, 2025 16:20
@socket-security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​lavamoat/​preinstall-always-fail@​2.1.1811004882100
Added@​npmcli/​node-gyp@​3.0.01001006183100
Addedunique-slug@​4.0.01001006183100
Addedunique-filename@​3.0.01001006583100
Addedis-lambda@​1.0.11001006777100
Addedabbrev@​2.0.0100100708480
Addedpromise-inflight@​1.0.11001007377100
Addednpm-install-checks@​6.3.01001007587100
Added@​lavamoat/​aa@​4.3.41001007686100
Addedminipass-sized@​1.0.31001008177100
Addedread-cmd-shim@​4.0.01001007783100
Addedminipass-flush@​1.0.51001007777100
Addedminipass-collect@​2.0.11001008177100
Addedminipass-pipeline@​1.2.41001008977100
Addedisexe@​3.1.1991009277100
Added@​pkgjs/​parseargs@​0.11.010010010078100
Addedretry@​0.12.010010010078100
Addedpath-scurry@​1.11.110010010078100
Addedip-address@​10.0.110010010078100
Addedhttps-proxy-agent@​7.0.61001009179100
Addedcmd-shim@​6.0.31001007983100
Addedminimatch@​9.0.510010010079100
Addedminipass-fetch@​3.0.5991008084100
Addederr-code@​2.0.31001009080100
Addedhttp-cache-semantics@​4.2.010010010080100
Addedagent-base@​7.1.41001009180100
Addedjackspeak@​3.4.310010010080100
Addedglob@​10.4.510010010080100
Addedsocks-proxy-agent@​8.0.5991008481100
Addedsocks@​2.8.710010010081100
Addedpromise-retry@​2.0.11001009881100
Added@​npmcli/​agent@​2.2.2991008288100
Addedwhich@​4.0.01001008384100
See 26 more rows in the dashboard

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@witmicko