Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump LavaMoat and SES #20877

Merged
merged 8 commits into from
Sep 21, 2023
Merged

Bump LavaMoat and SES #20877

merged 8 commits into from
Sep 21, 2023

Conversation

Mrtenz
Copy link
Member

@Mrtenz Mrtenz commented Sep 14, 2023

Explanation

SES 0.18.7 is incompatible with Google Chrome 117, resulting in lockdown not fully working in the injected content script:

lockdown-run.js:17 Lockdown failed: TypeError: At intrinsics.Object.groupBy expected boolean not function
  at isAllowedPropertyValue (lockdown-install.js:1:53384)
  [...]
lockdown-more.js:99 Protecting intrinsics failed: ReferenceError: harden is not defined
  at lockdown-more.js:69:13
  [...]

This was fixed in SES 0.18.8. To make sure SES is up-to-date everywhere, we have to bump LavaMoat to the latest versions too.

Manual Testing Steps

  1. Run the extension locally.
  2. Ensure there are no errors in the page console.

Pre-merge author checklist

  • I've clearly explained:
    • What problem this PR is solving
    • How this problem was solved
    • How reviewers can test my changes
  • Sufficient automated test coverage has been added

Pre-merge reviewer checklist

  • Manual testing (e.g. pull and build branch, run in browser, test code being changed)
  • PR is linked to the appropriate GitHub issue
  • IF this PR fixes a bug in the release milestone, add this PR to the release milestone

If further QA is required (e.g. new feature, complex testing steps, large refactor), add the Extension QA Board label.

In this case, a QA Engineer approval will be be required.

@socket-security
Copy link

socket-security bot commented Sep 14, 2023
edited
Loading

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives Size Publisher
eslint-plugin-storybook 0.6.13 None +0 107 kB yannbf

🚮 Removed packages: [email protected]

@socket-security
Copy link

socket-security bot commented Sep 14, 2023
edited
Loading

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

@FrederikBolding
Copy link
Member

@metamaskbot update-policies

@metamaskbot
Copy link
Collaborator

Policies updated

@codecov
Copy link

codecov bot commented Sep 15, 2023
edited
Loading

Codecov Report

Patch and project coverage have no change.

Comparison is base (6bb268b) 68.41% compared to head (fd51b92) 68.41%.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop   #20877   +/-   ##
========================================
  Coverage    68.41%   68.41%           
========================================
  Files         1006     1006           
  Lines        40188    40188           
  Branches     10740    10740           
========================================
  Hits         27492    27492           
  Misses       12696    12696

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@metamaskbot
Copy link
Collaborator

Builds ready [7843b7f]
Page Load Metrics (1678 ± 130 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1081871402612
domContentLoaded137823301677267128
load137823451678270130
domInteractive137723301677267128
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 12.84 KiB (0.36%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@Mrtenz Mrtenz force-pushed the mrtenz/bump-lavamoat branch from 7843b7f to 51d666e Compare September 15, 2023 08:30
@Mrtenz Mrtenz marked this pull request as ready for review September 15, 2023 08:30
@Mrtenz Mrtenz requested review from a team as code owners September 15, 2023 08:30
@metamaskbot
Copy link
Collaborator

Builds ready [51d666e]
Page Load Metrics (1427 ± 22 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint103153116126
domContentLoaded1351151114274622
load1351151114274522
domInteractive1351151114264622
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 12.84 KiB (0.36%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@Mrtenz
Copy link
Member Author

Mrtenz commented Sep 15, 2023

@SocketSecurity ignore [email protected]

This is ours.

@Mrtenz
Copy link
Member Author

Mrtenz commented Sep 15, 2023

@metamaskbot update-policies

@metamaskbot
Copy link
Collaborator

Policy update failed. You can review the logs or retry the policy update here

@legobeat legobeat requested review from naugtur and weizman September 15, 2023 22:32
@github-actions
Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@legobeat
Copy link
Contributor 

@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]

unmaintained ok

@legobeat
Copy link
Contributor 

@SocketSecurity ignore [email protected]

new author ok

legobeat
legobeat previously approved these changes Sep 15, 2023
View reviewed changes
Copy link
Contributor

@legobeat legobeat left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, lgtm after the build-policy refresh!

@metamaskbot
Copy link
Collaborator

Builds ready [d9a2bd9]
Page Load Metrics (1591 ± 49 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint116184135147
domContentLoaded14711927159110149
load14711927159110149
domInteractive14711927159110149
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 12.84 KiB (0.36%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@legobeat
Copy link
Contributor

@metamaskbot update-policies

@metamaskbot
Copy link
Collaborator

Builds ready [4185cb7]
Page Load Metrics (1430 ± 27 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint105148120115
domContentLoaded1340154714305727
load1340154814305727
domInteractive1340154714305727
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 12.84 KiB (0.36%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@metamaskbot
Copy link
Collaborator

No policy changes

@kevinghim kevinghim mentioned this pull request Sep 16, 2023
Closed
danfinlay
danfinlay reviewed Sep 20, 2023
View reviewed changes
Copy link
Contributor

@danfinlay danfinlay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious about the new lavamoat namespace.

package.json Show resolved Hide resolved
@danjm danjm added release-blocker This bug is blocking the next release release-11.1.0 Issue or pull request that will be included in release 11.1.0 labels Sep 20, 2023
weizman
weizman previously approved these changes Sep 20, 2023
View reviewed changes
@Mrtenz Mrtenz dismissed stale reviews from weizman and legobeat via f5a3f39 September 21, 2023 09:10
@Mrtenz Mrtenz force-pushed the mrtenz/bump-lavamoat branch from 4185cb7 to f5a3f39 Compare September 21, 2023 09:10
@legobeat legobeat self-requested a review September 21, 2023 09:18
@Mrtenz Mrtenz force-pushed the mrtenz/bump-lavamoat branch from f5a3f39 to 6263056 Compare September 21, 2023 09:23
@Mrtenz
Copy link
Member Author

Mrtenz commented Sep 21, 2023

@metamaskbot update-policies

@metamaskbot
Copy link
Collaborator

Policies updated

@metamaskbot
Copy link
Collaborator

Builds ready [fd51b92]
Page Load Metrics (1571 ± 53 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint118169133136
domContentLoaded14291890157111153
load14291890157111153
domInteractive14291890157111153
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 12.84 KiB (0.36%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@danjm danjm merged commit baf0599 into develop Sep 21, 2023
9 checks passed
@danjm danjm deleted the mrtenz/bump-lavamoat branch September 21, 2023 17:31
@github-actions github-actions bot locked and limited conversation to collaborators Sep 21, 2023
@metamaskbot metamaskbot added the release-11.3.0 Issue or pull request that will be included in release 11.3.0 label Sep 21, 2023
@danjm danjm removed the release-11.3.0 Issue or pull request that will be included in release 11.3.0 label Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@danjm danjm danjm left review comments

@danfinlay danfinlay danfinlay left review comments

@legobeat legobeat legobeat approved these changes

@FrederikBolding FrederikBolding FrederikBolding approved these changes

@weizman weizman weizman left review comments

@naugtur naugtur Awaiting requested review from naugtur

Assignees
No one assigned
Labels
release-11.1.0 Issue or pull request that will be included in release 11.1.0 release-blocker This bug is blocking the next release team-lavamoat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Mrtenz @FrederikBolding @metamaskbot @legobeat @danfinlay @danjm @weizman