lavamoat runtime support #52
Conversation
cryptotavares
force-pushed
the
cryptotavares/add-lavamoat-runtime-node-14
branch
from
3a65ecf
to
df8b6d3
Compare
Currently electron-builder messes around with the package.json as well as the node_modules (for example it does not consider the dev deps node_modules to be copied to the packaged app). Due to that we have generated a policy.json only for packaged electron apps. Also it seems that lavamoat computes different paths when running within electron. Due to that we are adding a specific policy override file. Finally we had to patch lavamoat to consider leveldown as a builtin when the app is packaged only.
cryptotavares
force-pushed
the
cryptotavares/add-lavamoat-runtime-node-14
branch
from
046f919
to
735b2c4
Compare
| "globals": { | ||
| "fetch": true | ||
| } | ||
| }, |
There was a problem hiding this comment.
Are there really this many different versions of node-fetch? Should that not deduplicate on installation?
There was a problem hiding this comment.
well it should... I have run it.. buuut it did not remove the duplications 😅 I have not investigate it further though (yet).
| }, | ||
| "3box>ipfs>pull-mplex": { | ||
| "packages": { | ||
| "@truffle/codec>debug": true |
There was a problem hiding this comment.
This is surprising. Why is a single package so good at escaping detection by lavamoat's static analysis?
I don't recall having this issue with debug before
| }, | ||
| "3box>ipfs>libp2p-webrtc-star>socket.io-client>engine.io-client>xmlhttprequest-ssl": { | ||
| "builtin": { | ||
| "child_process.spawn": true, |
There was a problem hiding this comment.
that's not great. We could override it to false and see if it's being used at all.
| }, | ||
| "web3>xmlhttprequest": { | ||
| "builtin": { | ||
| "child_process.spawn": true, |
There was a problem hiding this comment.
same as above - we don't like spawn because it runs something outside lavamoat.
There was a problem hiding this comment.
This is the one required (haven't looked into the package to understand why yet.. but all the other spawns can be set to false)
| + | ||
| + if (isPackagedApp && requestedName === 'leveldown') { | ||
| + return 'orbit-db-cache/node_modules/leveldown' | ||
| + } |
There was a problem hiding this comment.
We'll need config for this where resolution overrides can be provided to runLava
I can add that easily, the question is - do we also want that in a non-programmatic interface?
@kumavis
Overview
Add lavamoat-node runtime to desktop App.
Changes
Desktop
require(electron)as if it was a builtin. If the app is packaged it will also supportrequire(leveldown)as a builtin inorbit-db-cache/node_modules/leveldown. Finally the patch also includes all changes done by @naugtur in this PR - feat: add a programmatic API to lavamoat-node LavaMoat/LavaMoat#381requirewas returning an empty objectmain.tsas an entry point for the desktop app. This file passesbackground.jsas the entry point for lavamoat and calls lavamoat programatically.Extension
No changes
Standing issues
Currently this version does not support Snaps. The reason is that snaps currently require node 16 - 18. We have tried to patch it locally, but the effort to patch was not worth it (especially as electron 21 is coming by the end of the month and already comes with node 16.17.0 - electron/electron#35675 (comment))
THIS PR SHOULD NOT BE MERGED - we will create another one with electron 21 (and node 16.17.0) and supporting Snaps (once electron 21 is out)
How to run the app
Dev mode
Packaged App