`lavamoat` is a NodeJS runtime where modules are defined in [SES][SesGithub] Compartments. It aims to reduce the risk of malicious code in the app dependency graph, known as "software supply chain attacks".
lavamoat is a NodeJS runtime where modules are defined in SES Compartments. It aims to reduce the risk of malicious code in the app dependency graph, known as "software supply chain attacks".
LavaMoat differs from the standard node runtime in that it:
lockdown() from SES to prevent tampering with the execution environment.
Thanks to lockdown, prototype-pollution attacks are neutralized. It's also a prerequisite to code isolation.require and linking implementation is provided for the purpose of loading allowed dependencies.The result is a runtime that should work just as before, but provides some protection against supply chain attacks.
For an overview of LavaMoat tools see the main README
Before you use lavamoat runtime protections, make sure you've set up allow-scripts and install dependencies using that setup.
Use one of:
npm i lavamoat
yarn add lavamoat
lavamoat app.js --autopolicy./lavamoat/node/policy.json file it generatedlavamoat app.js./lavamoat/node/policy-override.json file and introduce changes there. You can both expand and trim the permissions.Note You can regenerate the main policy file on updates (and review for unexpected new permissions) while the modifications you needed to make remain in a separate overrides file. It makes reviewing and maintaining both files easier.
See also: Policy file explained
lavamoat <entryPath> [Options]
Positionals:
entryPath the path to the entry file for your application. same as node.js
[string]
Options:
--version Show version number [boolean]
--help Show help [boolean]
-p, --policy, --policyPath Pass in policy. Accepts a filepath
string to the existing policy. When
used in conjunction with
--autopolicy, specifies where to
write the policy. Default:
./lavamoat/node/policy.json
[string] [default: "lavamoat/node/policy.json"]
-o, --policyOverride, --override, Pass in override policy. Accepts a
--policyOverridePath filepath string to the existing
override policy. Default:
./lavamoat/node/policy-override.json
[string] [default: "lavamoat/node/policy-override.json"]
--policyDebug, --pd, --policydebug, Pass in debug policy. Accepts a
--policyDebugPath filepath string to the existing
debug policy. Default:
./lavamoat/node/policy-debug.json
[string] [default: "lavamoat/node/policy-debug.json"]
-a, --writeAutoPolicy, --autopolicy Generate a "policy.json" and
"policy-override.json" in the
current working directory.
Overwrites any existing policy
files. The override policy is for
making manual policy changes and
always takes precedence over the
automatically generated policy.
[boolean] [default: false]
--writeAutoPolicyAndRun, --ar, parse + generate a LavaMoat policy
--autorun file then execute with the new
policy. [boolean] [default: false]
--writeAutoPolicyDebug, --dp, when writeAutoPolicy is enabled,
--debugpolicy write policy debug info to specified
or default path
[boolean] [default: false]
--projectRoot specify the director from where
packages should be resolved
[string] [default: "/home/naugtur/work/metamask/metamask-extension"]
-d, --debugMode, --debug Disable some protections and extra
logging for easier debugging.
[boolean] [default: false]
--statsMode, --stats enable writing and logging of stats
[boolean] [default: false]
This uses the existing policy and policy-override files to run your app.
lavamoat index.js
Automatically searches for policy files inside ./lavamoat/node/.
This uses the override policy specified at ./policies/policy-override.json.
$ lavamoat index.js --override './policies/policy-override.json'
Having trouble reading thrown Errors? try running with the --debugMode flag. Warning: not safe for production runs.
For more information on the lavamoat policy file, check Policy file explained in documentation.
Got a dependency that wont quite work under LavaMoat? try patch-package
Programmatic usage is almost identical to the commandline and its arguments.
const { runLava } = require('lavamoat')
runLava({
entryPath: './app.js',
// Optional:
writeAutoPolicy: false,
writeAutoPolicyDebug: false,
writeAutoPolicyAndRun: false,
policyPath: 'path to file',
policyDebugPath: 'path to file',
policyOverridePath: 'path to file',
projectRoot: process.cwd(),
debugMode: false,
statsMode: false,
})
FAQs
`lavamoat` is a NodeJS runtime where modules are defined in [SES][SesGithub] Compartments. It aims to reduce the risk of malicious code in the app dependency graph, known as "software supply chain attacks".
The npm package lavamoat receives a total of 21,000 weekly downloads. As such, lavamoat popularity was classified as popular.
We found that lavamoat demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket’s new Tier 1 Reachability filters out up to 80% of irrelevant CVEs, so security teams can focus on the vulnerabilities that matter.
Research
/Security News
Ongoing npm supply chain attack spreads to DuckDB: multiple packages compromised with the same wallet-drainer malware.
Security News
The MCP Steering Committee has launched the official MCP Registry in preview, a central hub for discovering and publishing MCP servers.