chore: experimenting with LavaMoat allow-scripts

[jaybuidl]

Blocked by LavaMoat/LavaMoat#229 LavaMoat/LavaMoat#349

Not working right now

Regardless of the allow list configuration, yarn always refuses to run the whitelisted scripts: lists build scripts, but all build scripts have been disabled which is caused by enableScripts: false in .yarnrc.yml (from yarn's code).

Example

The package supabase has been allowed to run the script at node_modules/supabase/scripts/postinstall.js

  "lavamoat": {
    "allowScripts": {
      "..."
      "supabase": true
    },
    "allowBins": {
      "..."
      "supabase": "node_modules/supabase/scripts/postinstall.js"
    }
  }

but yarn rebuild supabase still fails

---

PR-Codex overview

This PR updates the project configuration to disable scripts and add Lavamoat security configurations.

Detailed summary

• Disabled scripts and added Lavamoat security configurations
• Added Lavamoat packages for script permissions
• Updated various package versions in yarn.lock

The following files were skipped due to too many changes: yarn.lock

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features

  • Enhanced dependency management and script execution capabilities with new configurations.
  • Introduced new scripts and dependencies related to the Lavamoat security framework.

• Bug Fixes

  • Improved handling of lifecycle scripts during installation to prevent potential issues.

[netlify]

✅ Deploy Preview for kleros-v2 ready!

Name	Link
🔨 Latest commit	0aa2f1d
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2/deploys/65d8b0a9b7f97c000846872e
😎 Deploy Preview	https://deploy-preview-1524--kleros-v2.netlify.app/
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2-university ready!

Name	Link
🔨 Latest commit	0aa2f1d
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-university/deploys/65d8b0a98f91f200087efb10
😎 Deploy Preview	https://deploy-preview-1524--kleros-v2-university.netlify.app/
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codeclimate]

Code Climate has analyzed commit 0aa2f1d and detected 0 issues on this pull request.

View more on Code Climate.

[sonarcloud]

Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[coderabbitai]

Walkthrough

The changes introduce new configurations in the .yarnrc and .yarnrc.yml files to modify script execution behavior during Yarn installations. The package.json file is updated to include new development dependencies related to the lavamoat security framework, along with a new script for allowing specific scripts to run. Additionally, a new section in package.json specifies which scripts and binaries are permitted, enhancing dependency management and security.

Changes

File(s)	Change Summary
.yarnrc	Added configurations: ignore-scripts true, --*.no-bin-links true.
.yarnrc.yml	Added property: enableScripts: false, newline added at the end.
package.json	Added dependencies: @lavamoat/allow-scripts and @lavamoat/preinstall-always-fail in devDependencies. New script: allow-scripts, updated reinstall script for consistency, added lavamoat section with allowScripts and allowBins configurations.

Poem

Hop along, dear friends of code,
In Yarn's garden, new paths unfold.
Scripts now dance with care and grace,
Lavamoat's watchful, secure embrace.
Dependencies bloom, a vibrant sight,
In the world of coding, all feels right! 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 65a7066 and 0aa2f1d.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• .yarnrc (1 hunks)
• .yarnrc.yml (1 hunks)
• package.json (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• .yarnrc

🧰 Additional context used

🔇 Additional comments (7)

.yarnrc.yml (2)

7-8: LGTM: Improved formatting

The added newline after the yarnPath property improves the readability of the configuration file.

---

9-10: ⚠️ Potential issue

Consider the implications of disabling all scripts

Setting enableScripts: false aligns with the PR objective of disabling scripts for security reasons. However, this global setting might cause issues with packages that rely on post-install scripts, as mentioned in the PR description.

Consider the following alternatives:

1. Use LavaMoat's more granular script control instead of disabling all scripts globally.
2. Implement a whitelist approach using LavaMoat to allow specific necessary scripts while blocking others.

To better understand the impact, let's check for packages that might be affected:

This will help identify packages that might be affected by disabling all scripts.

package.json (5)

36-37: LGTM: New LavaMoat dependencies added.

The addition of @lavamoat/allow-scripts and @lavamoat/preinstall-always-fail as dev dependencies aligns with the PR objectives of incorporating LavaMoat security configurations. These packages will help manage script permissions and enhance security during the build process.

---

72-72: LGTM: Minor syntax adjustment.

The addition of a trailing comma to the reinstall script is a minor change that improves consistency in the JSON formatting. This change doesn't affect functionality and is a good practice for maintainability.

---

86-93: LGTM: LavaMoat allowBins configuration added.

The new lavamoat.allowBins configuration properly maps commands to their respective binaries in the node_modules directory. This aligns with the PR objectives of managing script permissions and enhances security.

To ensure completeness, please verify that all necessary binaries are included in this configuration. You can cross-reference with your scripts section and devDependencies to make sure nothing is missing.

#!/bin/bash
# Extract script names from package.json and compare with allowBins configuration
scripts=$(jq -r '.scripts | keys[]' package.json)
allowBins=$(jq -r '.lavamoat.allowBins | keys[]' package.json)
echo "Scripts defined:"
echo "$scripts"
echo "Allowed bins:"
echo "$allowBins"
echo "Potential missing allowBins entries:"
comm -23 <(echo "$scripts" | sort) <(echo "$allowBins" | sort)

---

79-85: LGTM: LavaMoat allowScripts configuration added.

The new lavamoat.allowScripts configuration enhances security by disabling scripts for most packages while allowing them for supabase. This aligns with the PR objectives and the example provided in the PR description.

Consider if the "$root$": false entry is necessary, as it might be redundant if scripts are globally disabled by default. You can verify this by checking the LavaMoat documentation or configuration files.

---

73-73: LGTM: New allow-scripts command added, but verify experimental flag usage.

The addition of the allow-scripts command is in line with the PR objectives for managing script permissions. However, the use of the --experimental-bins flag suggests that this feature might not be stable.

Please confirm if using the experimental flag is intentional and necessary. If it's stable enough for your use case, consider documenting this decision. Otherwise, you might want to investigate if there's a stable alternative.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.