metamask-extension icon indicating copy to clipboard operation
metamask-extension copied to clipboard
verified publisher icon MetaMask

Introduce LavaDome version 0.0.14 addressing React security concern

Open weizman opened this issue 1 year ago • 5 comments

https://github.com/LavaMoat/LavaDome/pull/26

Bottom line: React exposes everything that's passed into it, which compromises LD's secret. To address that, we must force the developer to wrap the text with a token only LD can exchange back with the secret before passing it to React

UPDATE: https://github.com/LavaMoat/LavaDome/pull/29 is also included (v0.0.13) since 0.0.12 ended up requiring a critical fix

UPDATE: https://github.com/LavaMoat/LavaDome/pull/30 is also included (v0.0.14) since apparently new crypto API usage throws under test envs such as in our MM CI, so we want to downgrade to inferior APIs when configured as testing

weizman avatar Feb 11 '24 17:02 weizman

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

socket-security[bot] avatar Feb 11 '24 17:02 socket-security[bot]

Builds ready [590fe40]
Page Load Metrics (1132 ± 54 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1253992066230
domContentLoaded11114473115
load8421306113211354
domInteractive11114473115
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 10 Bytes (0.00%)
  • ui: 1.16 KiB (0.02%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Feb 13 '24 16:02 metamaskbot

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 68.59%. Comparing base (0495d5b) to head (65770c4).

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop   #22902   +/-   ##
========================================
  Coverage    68.59%   68.59%           
========================================
  Files         1101     1101           
  Lines        43176    43176           
  Branches     11552    11552           
========================================
  Hits         29615    29615           
  Misses       13561    13561

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Feb 13 '24 16:02 codecov[bot]

Builds ready [65cbb71]
Page Load Metrics (1087 ± 61 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1275982199646
domContentLoaded10178534120
load9471529108712861
domInteractive10178534120
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 10 Bytes (0.00%)
  • ui: 1.16 KiB (0.02%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Feb 13 '24 17:02 metamaskbot

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

github-actions[bot] avatar Feb 15 '24 07:02 github-actions[bot]

Builds ready [73e5e81]
Page Load Metrics (1212 ± 81 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1303972056833
domContentLoaded10102422211
load9491623121216981
domInteractive10102422211
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 10 Bytes (0.00%)
  • ui: 1.16 KiB (0.02%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Feb 15 '24 07:02 metamaskbot

Builds ready [9a3bb7b]
Page Load Metrics (1004 ± 40 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1242832024321
domContentLoaded978432512
load825116110048340
domInteractive978432512
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 10 Bytes (0.00%)
  • ui: 1.21 KiB (0.02%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Feb 19 '24 10:02 metamaskbot

Builds ready [2dfec1b]
Page Load Metrics (1021 ± 57 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1103261924723
domContentLoaded9106372914
load7571278102111957
domInteractive9106372914
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 10 Bytes (0.00%)
  • ui: 1.21 KiB (0.02%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Feb 19 '24 11:02 metamaskbot

Builds ready [5aba177]
Page Load Metrics (993 ± 59 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1232881974120
domContentLoaded9100493014
load722120599312359
domInteractive9100463115
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 10 Bytes (0.00%)
  • ui: 1.21 KiB (0.02%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Feb 20 '24 09:02 metamaskbot

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/@lavamoat/[email protected]

View full report↗︎

socket-security[bot] avatar Mar 04 '24 18:03 socket-security[bot]

Builds ready [65770c4]
Page Load Metrics (1004 ± 437 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint735071398943
domContentLoaded11103382210
load6020871004909437
domInteractive11103382210
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 32 Bytes (0.00%)
  • ui: 532 Bytes (0.01%)
  • common: 0 Bytes (0.00%)

metamaskbot avatar Mar 04 '24 18:03 metamaskbot