search

hendriknielaender / double-trouble

Dev Blog
https://double-trouble.dev
MIT License
11 stars 2 forks source link

New Post: Lavamoat #23

Open flyck opened 1 year ago

hendriknielaender commented 1 year ago

idea: how to secure nextjs/trpc/create-t3-app with lavamoat?

These are the steps we need to integrate.

  1. disable/allow dependency lifecycle scripts (eg. "postinstall") via @lavamoat/allow-scripts
  2. run your server or build process in lavamoat-node
  3. build your ui with LavaMoat for Browserify
flyck commented 1 year ago

DALL·E 2023-01-21 15 27 39 - show a castle with a gate at its center on top of a magma rock with some soldiers attacking from the side and a dragon that is made out of json text f DALL·E 2023-01-21 15 37 45 - a dragon spewing out packages at a castle on top of lava, digital art

flyck commented 1 year ago

In node20 there are now some experimental runtime permissions. You can limit the access to file reads/writes for the program as a whole.

Lavamoat is still more fine-grained here, as it allows package-specific rules. Also with the node20 features it will take a while until they are available in AWS to a broader audience.

Lavamoat still doesnt support webpack or esbuild, so I suppose this means I can only run it in the lavamoat runtime, for which I will create an example in a custom lambda runtime.