| 14:19 | <littledan> | There are also people who “believe in” ShadowRealms and don’t “believe in” lockdown. Objectively I think ShadownRealms have a smaller attack surface. |
| 14:23 | <littledan> | I am interested in this area of understanding how to guard against malicious dependencies. I don’t see how any kind of isolation mechanism can be enough to guard against logic errors which are at the center of some issues. I hope we in TC39 can discuss how to improve communication about important updates, and how to maintain good dependency metadata, in the future. |
| 14:31 | <naugtur> | I am interested in this area of understanding how to guard against malicious dependencies. I don’t see how any kind of isolation mechanism can be enough to guard against logic errors which are at the center of some issues. I hope we in TC39 can discuss how to improve communication about important updates, and how to maintain good dependency metadata, in the future. LavaMoat uses Hardened Javascript (SES) to isolate each dependency into a separate Compartment and only allow access to globals and imports listed in a policy. The Principle of Least Authority approach + an assumption that an initial trusted state exists (or a necessity to review the generated policy) guard against malicious packages reaching for unexpected powers/APIs or attempting poisoning of prototypes or objects passed around. It is still possible for a package to deliberately introduce a vulnerability in the implementation of eg. a cryptographic function. But the main concern are packages being taken over or corrupted to perform general-purpose attacks like sending process.env serialized to a 3rdparty server. |