LavaMoat is a fantastic and vital addition to the JavaScript ecosystem, and it's part of a collection of related technologies:
> Endo uses LavaMoat to automatically generate reviewable policies that determine what capabilities will be distributed to third party dependencies.
> The foundation of Endo is SES, a tamper-proof JavaScript environment that allows safe execution of arbitrary programs in Compartments.
I really hope that Node or Deno move towards making these policies available for all packages. Reviewing every source diff of every new package version is impractical, but noticing when packages request new permissions is a plausible amount of effort for organisations to commit themselves to (as the modal policy diff should be empty).
Of course there's still the possibility of supply chain attacks against popular packages which have powerful capabilities, but it should prevent packages like "is-odd" or "left-pad" from stealing and uploading your private keys.
> Endo uses LavaMoat to automatically generate reviewable policies that determine what capabilities will be distributed to third party dependencies.
> The foundation of Endo is SES, a tamper-proof JavaScript environment that allows safe execution of arbitrary programs in Compartments.
I really hope that Node or Deno move towards making these policies available for all packages. Reviewing every source diff of every new package version is impractical, but noticing when packages request new permissions is a plausible amount of effort for organisations to commit themselves to (as the modal policy diff should be empty).
Of course there's still the possibility of supply chain attacks against popular packages which have powerful capabilities, but it should prevent packages like "is-odd" or "left-pad" from stealing and uploading your private keys.