1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-12-01 21:57:06 +01:00
Commit Graph

38 Commits

Author SHA1 Message Date
weizman
c35b9dea64
remove duplicate comment line (#17381) 2023-01-24 21:24:01 +02:00
weizman
4a57d994c7
Activate LavaMoat scuttling security feature (#17276) 2023-01-24 19:00:35 +02:00
weizman
6d551f10fe
Update LavaMoat (core/lavapack) (#17061) 2023-01-18 14:35:37 +02:00
weizman
3cf5ef642f
Revert "Integrate new LavaMoat scuttling protection feature (#16994)" (#17043) 2022-12-22 17:26:53 +02:00
weizman
5d320ceec6
Integrate new LavaMoat scuttling protection feature (#16994)
Co-authored-by: kumavis <kumavis@users.noreply.github.com>
Co-authored-by: kumavis <aaron@kumavis.me>
Co-authored-by: Brad Decker <bhdecker84@gmail.com>
2022-12-21 12:54:30 -06:00
weizman
42b8971571
Integrating snow into metamask (#15580) 2022-11-24 02:36:19 +02:00
Mark Stacey
6ff8044421
Remove obsolete builds (#16430)
The `brave` and `opera` builds are obsolete; in practice we have been
using the Chrome build for those browsers, because they are based upon
Chromium and are compatible with the Chrome extension API.
2022-11-09 05:57:35 -10:00
legobeat
2a1c4a00f1
development scripts: add node shebang; mark as executable (#15655) 2022-08-24 12:25:27 -05:00
Mark Stacey
48c02ef641
Add validation to production build script (#15468)
Validation has been added to the build script when the "prod" target is
selected. We now ensure that all expected environment variables are
set, and that no extra environment variables are present (which might
indicate that the wrong configuration file is being used).

The `prod` target uses a new `.metamaskprodrc` configuration file. Each
required variable can be specified either via environment variable or
via this config file. CI will continue set these via environment
variable, but for local manual builds we can use the config file to
simplify the build process and ensure consistency.

A new "dist" target has been added to preserve the ability to build a
"production-like" build without this validation.

The config validation is invoked early in the script, in the CLI
argument parsing step, so that it would fail more quickly. Otherwise
we'd have to wait a few minutes longer for the validation to run.
This required some refactoring, moving functions to the utility module
and moving the config to a dedicated module.

Additionally, support has been added for all environment variables to
be set via the config file. Previously the values `PUBNUB_PUB_KEY`,
`PUBNUB_SUB_KEY`, `SENTRY_DSN`, and `SWAPS_USE_DEV_APIS` could only be
set via environment variable. Now, all of these variables can be set
either way.

Closes #15003
2022-08-19 15:46:18 -02:30
Brad Decker
7b42c54728
Update Babel and dependencies (#15392) 2022-08-05 10:04:44 -05:00
Mark Stacey
b68aee1bef
Migrate the build script to yargs (#14836)
The build script now uses `yargs` rather than `minimist`. The CLI is
now better documented, and we have additional validation for each
option.

A patch for `yargs` was required because it would blow up on the line
`Error.captureStackTrace`. For some reason when running under LavaMoat,
that property did not exist.

Closes #12766
2022-06-21 17:37:05 -02:30
Erik Marks
73a7ce9e39
Add applyLavaMoat build flag (#14583)
Adds a new flag, `--apply-lavamoat`, to the main build script. The flag controls whether LavaMoat is actually applied to the output of the build process. The flag defaults to `true`, but we explicitly set it to `false` in the `start` package script. Meanwhile, the `start:lavamoat` script is modified such that it applies LavaMoat to the build output in development mode, but it no longer runs the build process itself under LavaMoat as there aren't very compelling reasons to do so.

This change is motivated by the fact that development builds do not have their own dedicated LavaMoat policies, which causes development builds to fail since #14537. The downside of this change is that LavaMoat-related failures will not be detected when running `yarn start`. @kumavis has plans for fixing this problem in a future major version of the `@lavamoat` suite.
2022-04-29 15:56:30 -07:00
kumavis
223124a561
lavamoat@6 - update to secure package naming (#14488) 2022-04-26 07:36:57 -10:00
Elliot Winkler
53006d4cf0
Add TypeScript to the build system (#13489)
This commit modifies the build system so that TypeScript files can be
transpiled into ES5 just like JavaScript files.

Note that this commit does NOT change the build system to run TypeScript
files through the TypeScript compiler. In other words, no files will be
type-checked at the build stage, as we expect type-checking to be
handled elsewhere (live, via your editor integration with `tsserver`,
and before a PR is merged, via `yarn lint`). Rather, we merely instruct
Babel to strip TypeScript-specific syntax from any files that have it,
as if those files had been written using JavaScript syntax alone.

Why take this approach? Because it prevents the build process from being
negatively impacted with respect to performance (as TypeScript takes a
significant amount of time to run).

It's worth noting the downside of this approach: because we aren't
running files through TypeScript, but relying on Babel's [TypeScript
transform][1] to identify TypeScript syntax, this transform has to keep
up with any syntax changes that TypeScript adds in the future. In fact
there are a few syntactical forms that Babel already does not recognize.
These forms are rare or are deprecated by TypeScript, so I don't
consider them to be a blocker, but it's worth noting just in case it
comes up later. Also, any settings we place in `tsconfig.json` will be
completely ignored by Babel. Again, this isn't a blocker because there
are some analogs for the most important settings reflected in the
options we can pass to the transform. These and other caveats are
detailed in the [documentation for the transform][2].

[1]: https://babeljs.io/docs/en/babel-plugin-transform-typescript
[2]: https://babeljs.io/docs/en/babel-plugin-transform-typescript#caveats
2022-03-28 16:33:40 -06:00
Elliot Winkler
4447727eb6
Add TypeScript to the linting process (#13495)
This commit allows developers to write TypeScript files and lint them
(either via a language server in their editor of choice or through the
`yarn lint` command).

The new TypeScript configuration as well as the updated ESLint
configuration not only includes support for parsing TypeScript files,
but also provides some compatibility between JavaScript and TypeScript.
That is, it makes it possible for a TypeScript file that imports a
JavaScript file or a JavaScript file that imports a TypeScript file to
be linted.

Note that this commit does not integrate TypeScript into the build
system yet, so we cannot start converting files to TypeScript and
pushing them to the repo until that final step is complete.
2022-03-21 12:54:47 -06:00
Mark Stacey
75a8aedc32
Derive version suffix from build type and version (#13895)
The version of a build is now derived from both the `version` field in
`package.json` and the requested build type and version. The build type
and version are added onto the manifest version as a suffix, according
to the SemVer prerelease format.

We already have support in the extension for versions of this format,
but to apply a Flask or Beta version required manual updates to
`package.json`. Now it can be done just with build arguments.

A `get-version` module was created to make it easier to generate the
version in the various places we do that during the build. It was
created in the `development/lib` directory because it will be used by
other non-build development scripts in a future PR.

The `BuildType` constant was extracted to its own module as well, and
moved to the `development/lib` directory. This was to make it clear
that it's used by various different development scripts, not just the
build.
2022-03-10 12:31:50 -03:30
Mark Stacey
3732c5f71e
Add JSDoc ESLint rules (#12112)
ESLint rules have been added to enforce our JSDoc conventions. These
rules were introduced by updating `@metamask/eslint-config` to v9.

Some of the rules have been disabled because the effort to fix all lint
errors was too high. It might be easiest to enable these rules one
directory at a time, or one rule at a time.

Most of the changes in this PR were a result of running
`yarn lint:fix`. There were a handful of manual changes that seemed
obvious and simple to make. Anything beyond that and the rule was left
disabled.
2022-01-07 12:27:33 -03:30
Mark Stacey
ba54a3d83b
Update ESLint config to v8 (#12886)
The ESLint config has been updated to v8. The breaking changes are:

* The Prettier rule `quoteProps` has been changed from `consistent` to
`as-needed`, meaning that if one key requires quoting, only that key is
quoted rather than all keys.
* The ESLint rule `no-shadow` has been made more strict. It now
prevents globals from being shadowed as well.

Most of these changes were applied with `yarn lint:fix`. Only the
shadowing changes required manual fixing (shadowing variable names were
either replaced with destructuring or renamed).

The dependency `globalThis` was added to the list of dynamic
dependencies in the build system, where it should have been already.
This was causing `depcheck` to fail because the new lint rules required
removing the one place where `globalThis` had been erroneously imported
previously.

A rule requiring a newline between multiline blocks and expressions has
been disabled temporarily to make this PR smaller and to avoid
introducing conflicts with other PRs.
2021-12-09 15:36:24 -03:30
Mark Stacey
e8b7fcf8dc
Fix LavaMoat background policy generation (#12844)
The LavaMoat policy generation script would sporadically fail because
it ran the build concurrently three times, and the build includes
steps that delete the `dist` directory and write to it. So if one build
process tried to write to the directory after another deleted it, it
would fail.

This was solved by adding a new `--policy-only` flag to the build
script, and a new `scripts:prod` task. The `scripts:prod` task only
runs the script tasks for prod, rather than the entire build process.
The `--policy-only` flag stops the script tasks once the policy has
been written, and stops any other files from being written to disk.

This prevents the three concurrent build processes from getting in each
others way, and it dramatically speeds up the process.
2021-11-26 16:38:23 -03:30
Erik Marks
5560b7c3e5
Update build system lockdown parameter (#12556)
* Update build system lockdown parameter

* Add @reduxjs/toolkit patch

* Fix Mozilla lint syntax error

* Standardize a thing

* Remove redundant check for globalThis
2021-11-01 22:13:22 -10:00
Erik Marks
a2d3d942ec
Exclude files from builds by build type (#12521)
This PR enables the exclusion of JavaScript and JSON source by `buildType`, and enables the running of `eslint` under LavaMoat. 80-90% of the changes in this PR are `.patch` files and LavaMoat policy additions.

The file exclusion is designed to work in conjunction with our code fencing. If you forget to fence an import statement of an excluded file, the application will now error on boot. **This PR commits us to a particular naming convention for files intended only for certain builds.** Continue reading for details.

### Code Fencing and ESLint

When a file is modified by the code fencing transform, we run ESLint on it to ensure that we fail early for syntax-related issues. This PR adds the first code fences that will be actually be removed in production builds. As a consequence, this was also the first time we attempted to run ESLint under LavaMoat. Making that work required a lot of manual labor because of ESLint's use of dynamic imports, but the manual changes necessary were ultimately quite minor.

### File Exclusion

For all builds, any file in `app/`, `shared/` or `ui/` in a sub-directory matching `**/${otherBuildType}/**` (where `otherBuildType` is any build type except `main`) will be added to the list of excluded files, regardless of its file extension. For example, if we want to add one or more pages to the UI settings in Flask, we'd create the folder `ui/pages/settings/flask`, add any necessary files or sub-folders there, and fence the import statements for anything in that folder. If we wanted the same thing for Beta, we would name the directory `ui/pages/settings/beta`.

As it happens, we already organize some of our source files in this way, namely the logo JSON for Beta and Flask builds. See `ui/helpers/utils/build-types.js` to see how this works in practice.

Because the list of ignored filed is only passed to `browserify.exclude()`, any files not bundled by `browserify` will be ignored. For our purposes, this is mostly relevant for `.scss`. Since we don't have anything like code fencing for SCSS, we'll have to consider how to handle our styles separately.
2021-11-01 20:20:31 -07:00
Mark Stacey
345ed9f6f2
Add build type to Sentry environment (#12441)
The build type (i.e. the distribution) is now included in the Sentry
environment during setup, for all builds except the "main" build. This
will allow us to track Flask and beta errors separately from other
errors.

A constant was created for the build types. The equivalent constant in
our build scripts was updated to match it more closely, for
consistency. We can't use the same constant in both places because our
shared constants are in modules that use ES6 exports, and our build
script does not yet support ES6 exports.

The singular `BuildType` was used rather than `BuildTypes` to match our
naming conventions elsewhere for enums. We name them like classes or
types, rather than like a collection.

Relates to #11896
2021-10-25 14:27:30 -02:30
Mark Stacey
3a5538bd50
Migrate beta version to the main version field (#12246)
The main `version` field in `package.json` will now include the beta
version (if present) rather than it being passed in via the CLI when
building. The `version` field is now a fully SemVer-compatible version,
with the added restriction that any prerelease portion of the version
must match the format `<build type>.<build version>`.

This brings the build in-line with the future release process we will
be using for the beta version. The plan is for each future release to
enter a "beta phase" where the version would get updated to reflect
that it's a beta, and we would increment this beta version over time as
we update the beta. The manifest gives us a place to store this beta
version. It was also important to replace the automatic minor bump
logic that was being used previously, because the version in beta might
not be a minor bump.

Additionally, the filename logic used for beta builds was updated to
be generic across all build types rather than beta-specific. This will
be useful for Flask builds in the future.
2021-10-06 15:14:48 -02:30
Mark Stacey
3f577700c6
Replace isBeta with buildType (#12231)
This is a refactor to replace the `isBeta` boolean with `buildType`
throughout the build system. This will allow us to modify the behaviour
of each step of the build process for Flask as well.

This should result in no functional changes.
2021-09-28 13:43:26 -02:30
Erik Marks
2b104603d5
Build: Lint files after removing their code fences (#12075)
* Add linting

* Type the eslintInstance variable

* Update documentation
2021-09-15 17:18:28 -10:00
Erik Marks
3de3765425
Add build-time code exclusion using code fencing (#12060)
This PR adds build-time code exclusion by means of code fencing. For details, please see the README in `./development/build/transforms`. Note that linting of transformed files as a form of validation is added in a follow-up, #12075.

Hopefully exhaustive tests are added to ensure that the transform works according to its specification. Since these tests are Node-only, they required their own Jest config. The recommended way to work with multiple Jest configs is using the `projects` field in the Jest config, however [that feature breaks coverage collection](https://github.com/facebook/jest/issues/9628). That being the case, I had to set up two separate Jest configs. In order to get both test suites to run in parallel, Jest is now invoked via a script, `./test/run-jest.sh`.

By way of example, this build system feature allows us to add fences like this:

```javascript
this.store.updateStructure({
  ...,
  GasFeeController: this.gasFeeController,
  TokenListController: this.tokenListController,
  ///: BEGIN:ONLY_INCLUDE_IN(beta)
  PluginController: this.pluginController,
  ///: END:ONLY_INCLUDE_IN
});
```

Which at build time are transformed to the following if the build type is not `beta`:

```javascript
this.store.updateStructure({
  ...,
  GasFeeController: this.gasFeeController,
  TokenListController: this.tokenListController,
});
```

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2021-09-14 10:00:04 -07:00
Erik Marks
413700afc7
Rationalize build system arguments (#12047)
This rationalizes how arguments are passed to and parsed by the build system. To accomplish this, everything that isn't an environment variable from `.metamaskrc` or our CI environment is now passed as an argument on the command line.

Of such arguments, the `entryTask` is still expected as a positional argument in the first position (i.e. `process.argv[2]`), but everything else must be passed as a named argument. We use `minimist` to parse the arguments, and set defaults to preserve existing behavior.

Arguments are parsed in a new function, `parseArgv`, in `development/build/index.js`. They are assigned to environment variables where convenient, and otherwise returned from `parseArgv` to be passed to other functions invoked in the same file.

This change is motivated by our previous inconsistent handling of arguments to the build system, which will grow increasingly problematic as the build system grows in complexity. (Which it will very shortly, as we introduce Flask builds.)

Miscellaneous changes:
- Adds a build system readme at `development/build/README.md`
- Removes the `beta` package script. Now, we can instead call: `yarn dist --build-type beta`
- Fixes the casing of some log messages and reorders some parameters in the build system
2021-09-09 12:44:57 -07:00
David Walsh
7b827ca5e7
Create MetaMask Beta build (#10985) 2021-09-08 15:08:23 -05:00
Erik Marks
290fcbf89e
Allow excluding lockdown at build time (#11937)
This adds an `--omit-lockdown` flag to our build script, which will cause SES `lockdown` to be omitted from the resulting bundle. Useful for development when we don't want the environment to be locked down.

Thanks to @kumavis for the suggestion.
2021-08-30 16:49:39 -07:00
Etienne Dusseault
f196c9feb8
Add Lavamoat to build system (#9939)
* lavamoat - run build system in lavamoat

* lavamoat/allow-scripts - add missing policy entry

* update viz and lavvamoat

* trim policy file

* bump viz

* prue policy override

* regen policy file

* Update package.json

* Update package.json

* Apply suggestions from code review

Co-authored-by: kumavis <kumavis@users.noreply.github.com>

* update policy, remove redundant patches

* use yarn setup in CI

Co-authored-by: kumavis <aaron@kumavis.me>
Co-authored-by: kumavis <kumavis@users.noreply.github.com>
2021-02-22 22:43:29 +08:00
Erik Marks
76a2a9bb8b
@metamask/eslint config@5.0.0 (#10358)
* @metamask/eslint-config@5.0.0
* Update eslintrc and prettierrc
* yarn lint:fix
2021-02-04 10:15:23 -08:00
Mark Stacey
d8ec5f19f6
Use .zip for Firefox e2e tests (#10056)
The Firefox e2e tests now use the `.zip` file for testing the
extension. We've found this to produce more similar results to
production, compared to the old method of loading the unzipped
directory.

Passing in a `.zip` file to the Chrome driver didn't seem to work. I
didn't investigate this further to see if it was possible, but I'm not
sure it makes a difference on Chrome anyway.
2020-12-11 12:54:17 -03:30
Etienne Dusseault
9f6fa64d67
Add SES lockdown to extension webapp (#9729)
* Freezeglobals: remove Promise freezing, add lockdown

* background & UI: temp disable sentry

* add loose-envify, dedupe symbol-observable

* use loose envify

* add symbol-observable patch

* run freezeGlobals after sentry init

* use require instead of import

* add lockdown to contentscript

* add error code in message

* try increasing node env heap size to 2048

* change back circe CI option

* make freezeGlobals an exported function

* make freezeGlobals an exported function

* use freezeIntrinsics

* pass down env to child process

* fix unknown module

* fix tests

* change back to 2048

* fix import error

* attempt to fix memory error

* fix lint

* fix lint

* fix mem gain

* use lockdown in phishing detect

* fix lint

* move sentry init into freezeIntrinsics to run lockdown before other imports

* lint fix

* custom lockdown modules per context

* lint fix

* fix global test

* remove run in child process

* remove lavamoat-core, use ses, require lockdown directly

* revert childprocess

* patch package postinstall

* revert back child process

* add postinstall to ci

* revert node max space size to 1024

* put back loose-envify

* Disable sentry to see if e2e tetss pass

* use runLockdown, add as script in manifest

* remove global and require from runlockdown

* add more memory to tests

* upgrade resource class for prep-build & prep-build-test

* fix lint

* lint fix

* upgrade remote-redux-devtools

* skillfully re-add sentry

* lintfix

* fix lint

* put back beep

* remove envify, add loose-envify and patch-package in dev deps

* Replace patch with Yarn resolution (#9923)

Instead of patching `symbol-observable`, this ensures that all
versions of `symbol-observable` are resolved to the given range, even
if it contradicts the requested range.

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2020-11-24 11:26:43 +08:00
Brad Decker
2ebf8756a4
[RFC] add prettier to eslint (#8595) 2020-11-02 17:41:28 -06:00
Etienne Dusseault
69d45ab46c
Add ses lockdown to build system (#9568)
* Add ses lockdown to build system using lavamoat-core

* use proper object.assign version

* disable lint rules for ses lockdown

* deps - update rtlcss

Co-authored-by: kumavis <aaron@kumavis.me>
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2020-10-23 21:04:42 -02:30
Whymarrh Whitby
b6ccd22d6c
Update ESLint shared config to v3 (#9274)
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2020-08-19 13:57:05 -02:30
Whymarrh Whitby
4f0a205369
Use eslint@6.8.0 (#8978)
* Use eslint@6.8.0
* yarn lint:fix
2020-07-14 12:50:41 -02:30
kumavis
7686edadb0
Build system refactor (#8140)
* build - start static asset task cleanup

* build - simplify manifest tasks

* build - refactor + rename some tasks

* build - various cleanups

* manifest - fix ref from controller

* build - drop gulp for simple async tasks

* build - breakout gulpfile into multiple files

* build - rename some tasks

* build - use task fn refs instead of string names

* build - bundle all scripts first, except for contentscript

* build - improve task timeline

* deps - update lock

* build - improve task time printout

* build/scripts - remove intermediate named task

* build - use 'yarn build' for task entry points

* build - properly run tasks via runTask for timeline display

* development/announcer - fix manifest path + clean

* build - lint fix

* build - make all defined tasks possible entry points

* build/task - properly report errors during task

* ci - fix sesify/lavamoat-viz build command

* build/scripts - run each bundle in separate processes

* lint fix

* build - forward childProcess logs to console

* build/task - fix parallel/series stream end event

* build/scripts refactor contentscript+inpage into a single task

* build/static - use the fs for 150x speedup zomg

* lint fix

* build/static - fix css copy

* Update development/build/scripts.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/scripts.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/index.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* deps - remove redundant mkdirp

* deps - remove unused pumpify

* deps - remove redundant merge-deep

* deps - prefer is-stream of isstream

* deps - remove clone for lodash.cloneDeep

* clean - remove commented code

* build/static - use fs.copy + fast-glob instead of linux cp for better platform support

* build/manifest - standardize task naming

* build/display - clean - remove unused code

* bugfix - fix fs.promises import

* build - create "clean" as named task for use as entrypoint

* build/static - fix for copying dirs

* Update development/build/task.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/display.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/display.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/display.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* build - use task refs, tasks only return promises not streams, etc

* lint fi bad merge + lint

* build - one last cleanup + refactor

* build - add comments introducing file

* build/manifest - fix bug + subtasks dont beed to be named

* Update package.json

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* build/task - remove unused fn

* Update package.json

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/styles.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

* Update development/build/styles.js

Co-Authored-By: Mark Stacey <markjstacey@gmail.com>

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2020-03-09 08:55:02 +08:00