Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci - install deps - limit install scripts to whitelist #7208

Merged
merged 9 commits into from
Sep 25, 2019

Conversation

kumavis
Copy link
Member

@kumavis kumavis commented Sep 23, 2019

moving in parallel to SESify/lavamoat, I'm doing some research to reduce our exposure to 3rd party code.

There's 3 main phases we need to concern ourselves with:

  • Dep Install time via pre/post-install scripts (related to this PR)
  • Build time via build tools (lavamoat the build system...? lavamoat node loader?)
  • Run time via deps in bundle (related to SESify/lavamoat)

@kumavis kumavis changed the title ci - install deps - limit install scripts to those needed for build ci - install deps - limit install scripts to whitelist Sep 23, 2019
@metamaskbot
Copy link
Collaborator

Builds ready [bc45ed0]

@kumavis kumavis marked this pull request as ready for review September 23, 2019 03:46
@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

aha test failures, thats more what I was expecting

@Gudahtt
Copy link
Member

Gudahtt commented Sep 23, 2019

This seems pretty reasonable, though from the looks of CI there is at least one package missing from the list.

I'm a bit concerned that it might be difficult to determine if we've missed one, as our test coverage does have some significant gaps. So it's possible we're missing an important build step that'll result in a subtle bug somewhere. I'm also a bit concerned about how we're to maintain this list over time.

Maybe we could recursively scan all dependencies for build scripts, and compare it to the list we've manually built?

Then there's the question of which scripts we do want to run. It's possible we have packages with optional scripts that we could just ignore.

This package implemented something similar that stored the list in package.json: https://github.com/dominykas/allow-scripts
It might prove useful. Or at least maybe we could take inspiration from it, and store the list in a more machine-readable format to make it easier to maintain.

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

My first assumption is that nothing that ends up in the bundle actually requires a install script, unless someone is babel compiling at post-install time. My assumption is that its mostly for native deps (bindings to code that needs to be compiled, eg written in c or something) that are part of our build and test systems

nice find with allow-scripts, pretty much what we're doing by hand here. I suppose it does not run its own deps if any under this same restriction, though they are few

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

wrote a script, these ones have scripts

core-js: /home/xyz/Development/metamask-extension2/node_modules/core-js
core-js-pure: /home/xyz/Development/metamask-extension2/node_modules/core-js-pure
sc-uws: /home/xyz/Development/metamask-extension2/node_modules/sc-uws
tiny-secp256k1: /home/xyz/Development/metamask-extension2/node_modules/tiny-secp256k1
chromedriver: /home/xyz/Development/metamask-extension2/node_modules/chromedriver
electron: /home/xyz/Development/metamask-extension2/node_modules/electron
jpegtran-bin: /home/xyz/Development/metamask-extension2/node_modules/jpegtran-bin
jss: /home/xyz/Development/metamask-extension2/node_modules/jss
optipng-bin: /home/xyz/Development/metamask-extension2/node_modules/optipng-bin
sinon: /home/xyz/Development/metamask-extension2/node_modules/sinon
scrypt: /home/xyz/Development/metamask-extension2/node_modules/scrypt
ursa-optional: /home/xyz/Development/metamask-extension2/node_modules/ursa-optional
leveldown: /home/xyz/Development/metamask-extension2/node_modules/leveldown
fetch-mock: /home/xyz/Development/metamask-extension2/node_modules/fetch-mock
secp256k1: /home/xyz/Development/metamask-extension2/node_modules/secp256k1
@sentry/cli: /home/xyz/Development/metamask-extension2/node_modules/@sentry/cli
assemblyscript: /home/xyz/Development/metamask-extension2/node_modules/assemblyscript
gifsicle: /home/xyz/Development/metamask-extension2/node_modules/gifsicle
keccak: /home/xyz/Development/metamask-extension2/node_modules/keccak
sha3: /home/xyz/Development/metamask-extension2/node_modules/sha3
weak: /home/xyz/Development/metamask-extension2/node_modules/weak
websocket: /home/xyz/Development/metamask-extension2/node_modules/websocket
node-sass: /home/xyz/Development/metamask-extension2/node_modules/node-sass
sqlite3: /home/xyz/Development/metamask-extension2/node_modules/sqlite3
phantomjs-prebuilt: /home/xyz/Development/metamask-extension2/node_modules/phantomjs-prebuilt
gc-stats: /home/xyz/Development/metamask-extension2/node_modules/gc-stats
geckodriver: /home/xyz/Development/metamask-extension2/node_modules/geckodriver

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

I'm so confused, my tool is reporting that weak has an install script, and its consistent with an error im seeing, but the actual package.json at the reported location does not have an install script..?

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

oh hell, this is the default value for the install script "install": "node-gyp rebuild" https://docs.npmjs.com/misc/scripts#default-values

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

for the second phase "build time", we could maybe use a nodejs loader but this suggests it only works with esm
https://nodejs.org/api/esm.html#esm_resolve_hook

@metamaskbot
Copy link
Collaborator

Builds ready [3428381]

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

surprised these weren't needed phantomjs-prebuilt, gc-stats. dead deps? incorrectly configured deep dev deps?

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

Added my utility script that shows what deps have install scripts. we only run a small subset of them

core-js: node_modules/core-js postinstall
core-js-pure: node_modules/core-js-pure postinstall
sc-uws: node_modules/sc-uws install
tiny-secp256k1: node_modules/tiny-secp256k1 install
chromedriver: node_modules/chromedriver install
electron: node_modules/electron postinstall
jpegtran-bin: node_modules/jpegtran-bin postinstall
jss: node_modules/jss postinstall
optipng-bin: node_modules/optipng-bin postinstall
sinon: node_modules/sinon postinstall
scrypt: node_modules/scrypt preinstall,install
ursa-optional: node_modules/ursa-optional install
leveldown: node_modules/leveldown install
fetch-mock: node_modules/fetch-mock postinstall
secp256k1: node_modules/secp256k1 install
@sentry/cli: node_modules/@sentry/cli install
assemblyscript: node_modules/assemblyscript postinstall
gifsicle: node_modules/gifsicle postinstall
keccak: node_modules/keccak install
sha3: node_modules/sha3 install
weak: node_modules/weak install
websocket: node_modules/websocket install
node-sass: node_modules/node-sass install,postinstall
sqlite3: node_modules/sqlite3 install
phantomjs-prebuilt: node_modules/phantomjs-prebuilt install
gc-stats: node_modules/gc-stats install
geckodriver: node_modules/geckodriver postinstall

@metamaskbot
Copy link
Collaborator

Builds ready [ddb1a25]

@kumavis
Copy link
Member Author

kumavis commented Sep 23, 2019

I'm also a bit concerned about how we're to maintain this list over time.

I don't expect it to need to change very often but as long as CI fails, the list should get updated. If it gets a bit stale, its not too bad, but currently will need some manual review.

anyways im happy with this for now

package.json Outdated Show resolved Hide resolved
@metamaskbot
Copy link
Collaborator

Builds ready [c9c69be]

Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@kumavis kumavis merged commit e1efb4d into develop Sep 25, 2019
@kumavis kumavis deleted the sec-limit-install-scripts branch September 25, 2019 12:01
Gudahtt added a commit to Gudahtt/metamask-extension that referenced this pull request Sep 27, 2019
* origin/develop: (56 commits)
  Add advanced setting to enable editing nonce on confirmation screens (MetaMask#7089)
  Add migration on 3box imports and remove feature flag (MetaMask#7209)
  ci - install deps - limit install scripts to whitelist (MetaMask#7208)
  Add a/b test for full screen transaction confirmations (MetaMask#7162)
  Update minimum Firefox verison to 56.0 (MetaMask#7213)
  mesh-testing - submit infura rpc requests to mesh-testing container (MetaMask#7031)
  obs-store/local-store should upgrade webextension error to real error (MetaMask#7207)
  sesify-viz - bump dep for visualization enhancement (MetaMask#7175)
  address book entries by chainId (MetaMask#7205)
  Optimize images only during production build (MetaMask#7194)
  Use common test build during CI (MetaMask#7196)
  Report missing `en` locale messages to Sentry (MetaMask#7197)
  Verify locales on CI (MetaMask#7199)
  updated ganache and addons-linter (MetaMask#7204)
  fixup! add user rejected errors
  add user rejected errors
  update json-rpc-engine
  use eth-json-rpc-errors
  Remove unused locale messages (MetaMask#7190)
  Remove unused components (MetaMask#7191)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants