undefined | Better HN

0 pointsnaugtur6mo ago0 comments

If you mean during development - you can opt out of using lavamoat in development for your webpack bundle (I'm assuming you're not running your untested code on valuable data)

0 comments

cluckindan6mo ago

Well, that’s not exactly reassuring. Having a very different runtime environment in production is grounds for hard to debug issues.

Is it possible to generate the allowlist at development time without having the webpack plugin loaded? If it’s only generated at build time, it won’t protect against malicious packages getting installed in CI just before the build happens.

naugturOP6mo ago

You need to juggle two builds - one while you're iterating rapidly and another when you're near start and finish of the increment. Not a lot of work compared to auditing a thousand packages.

Try it and see. There's tradeoffs but if you roll it out, it is very powerful.

j / k navigate · click thread line to collapse

0 comments

cluckindan6mo ago

Well, that’s not exactly reassuring. Having a very different runtime environment in production is grounds for hard to debug issues.

naugturOP6mo ago

You need to juggle two builds - one while you're iterating rapidly and another when you're near start and finish of the increment. Not a lot of work compared to auditing a thousand packages.

Try it and see. There's tradeoffs but if you roll it out, it is very powerful.

j / k navigate · click thread line to collapse