GitBross Startsida Utforska Hjälp
Registrera dig Logga in
sol_BMCMMXZh
/
wormhole-foundation_wormhole
spegling av https://github.com/wormhole-foundation/wormhole
1
0
Fork 0
Filer Ärenden 1 Wiki
Bläddra i källkod

docs: add guide for working with JS packages securely (#4487)

* docs: add guide for working with JS packages securely
* remove scrap notes file
John Saigle 2 månader sedan
förälder
5b0c39fdac
incheckning
d81f78d0ba
2 ändrade filer med 62 tillägg och 65 borttagningar
Delad Vy Visa Diff Statistik
  1. 62 0
      CONTRIBUTING.md
  2. 0 65
      algorand/test/NOTES

+ 62 - 0
CONTRIBUTING.md
Visa fil 

@@ -32,6 +32,68 @@ Documentation for the in-the-wild deployments lives in the
 
 
 See [DEVELOP.md](./DEVELOP.md) for more information on how to run the development environment.
 
 
+## Supply Chain Security
 
+
 
+### Core Principles
 
+- **Pin as much as possible**: Versions, hashes, and dependencies
 
+- **Minimize attack surface**: Fewer dependencies = fewer risks
 
+- **Verify integrity**: Use lockfiles and checksums
 
+
 
+### Working with Node dependencies
 
+Do not change the dependencies of the package.json by hand! 
+
 
+Instead:
 
+
 
+- When initially installing OR pulling what has been changed: `npm ci`. 
+If you do not do this, you may not get exactly what is specified in the file, inadvertently update dependencies, or even pull exploits down to your machine! **Never use `npm install` for this use case**.
 
+- When needing to add or update a package: `npm i <package>@<version>`. If you do not do this, you may inadvertently update other packages or fail to update the lock file.
 
+- When needing to remove a package: `npm r <package>`. If you do not do this, you may inadvertently update other packages or fail to update the lock file.
 
+
 
+Always commit your `package-lock.json`.
 
+
 
+Using specific versions improves security because package versions cannot be overwritten after they are released.
 
+
 
+#### Dockerfile workflow
 
+
 
+##### If installing a package locally
 
+
 
+- Copy in package.json and the lock file
 
+- Then run `npm ci`
 
+
 
+```dockerfile
 
+# NOTE: Dockerfile must be pinned too
 
+FROM node:18.19.0-alpine@sha256:12345...
 
+
 
+WORKDIR /app
 
+
 
+# Include package files
 
+COPY package.json package-lock.json ./
 
+
 
+# Use npm ci so that packages are not upgraded
 
+RUN npm ci
 
+
 
+...
 
+```
 
+
 
+##### If installing a package globally
 
+
 
+- Use `npm i <package>@<version>`
 
+
 
+```dockerfile
 
+# NOTE: Dockerfile must be pinned too
 
+FROM node:18.19.0-alpine@sha256:12345...
 
+
 
+# Pin global packages to specific versions
 
+RUN npm install -g somepackage@1.2.3
 
+
 
+...
 
+
 
+```
 
+
 
+### When to update packages
 
+Updating packages should not be done alongside other work. Instead, take the time to review dependency upgrades carefully,
 
+making a best effort to ensure that they are necessary and secure.
 
+
 
 ## Contributions FAQ
 
 
 ### Can you add \<random blockchain\>?

+ 0 - 65
algorand/test/NOTES
Visa fil 

@@ -1,65 +0,0 @@
 
-index 0
 
-appId 4
 
-textToHexString("guardian");
 
-guardianAddr CLAOUBJPZ5WNLM7ZU237TCOV2WODAGNUX3536PZ3JSWMBN7M46UADLN3GY
 
-
 
-('CLAOUBJPZ5WNLM7ZU237TCOV2WODAGNUX3536PZ3JSWMBN7M46UADLN3GY',
 
- '01befa429d57cd18b7f8a4d91a2da9ab4af05d0fbe00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000677561726469616e')
 
-
 
-illness illegal arrive clip fork palm skull south impose verify toss ocean shrug vital swift similar depend margin climb uniform risk pizza canal absorb forward
 
-
 
-# Locally in your project.
 
-npm install -D typescript
 
-npm install -D ts-node
 
-
 
-# Or globally with TypeScript.
 
-npm install -g typescript
 
-npm install -g ts-node
 
-
 
-# Depending on configuration, you may also need these
 
-npm install -D tslib @types/node
 
-
 
-go to .../ethereum/
 
-npm ci
 
-go to ..../sdk/js
 
-npm ci; npm run build
 
-
 
-Then, in a new window, you can run
 
-  tsc -p tsconfig-cjs.json --watch
 
-which will track updates
 
-
 
-ts-node foo2.ts
 
-
 
-
 
-https://github.com/barnjamin/sdk-extras/blob/master/py/block_fetcher.py
 
-
 
-package main
 
-
 
-import (
 
-        "context"
 
-        "strings"
 
-
 
-        "github.com/algorand/go-algorand/rpcs"
 
-        "github.com/algorand/indexer/fetcher"
 
-        "github.com/sirupsen/logrus"
 
-)
 
-
 
-var log = logrus.New()
 
-
 
-func main() {
 
-        f, err := fetcher.ForNetAndToken("http://localhost:4001", strings.Repeat("a", 64), log)
 
-        if err != nil {
 
-                log.Fatalf("Failed to create fetcher: %+v", err)
 
-        }
 
-
 
-        f.SetBlockHandler(handler)
 
-
 
-        f.Run(context.Background())
 
-}
 
-
 
-func handler(ctx context.Context, cert *rpcs.EncodedBlockCert) error {
 
-        for _, stxn := range cert.Block.Payset {
 
-                log.Printf("%+v", stxn.SignedTxn.Txn.Type)
 
-        }
 
-        return nil
 
-}