Add Lava-Moat

[danfinlay]

How cool would it be if every MetaMask module shipped with its dependencies pre-confined by default via lava moat?

Problem currently this template repo uses rollup as its build system, but Lava Moat only has plugins for browserify and webpack. This means we either need to switch this project to one of those (like this PR that converts it to webpack), or add a lava-moat plugin for rollup.

one guide on creating a rollup plugin

[Gudahtt]

I don't think LavaMoat confinement makes sense for libraries, which is primarily what this template repo is for. It makes sense for the build system, but the library itself should get confined as part of the application build process.

The library can't ultimately be responsible for confining and auditing dependencies because the library doesn't choose which versions to use. The application does.

[danfinlay]

Yeah, that's the same sentiment Aaron had. More discussion in our lavamoat channel. Closing this series of issues & PRs.