chore(security): adopt @lavamoat/allow-scripts to reduce supply-chain risk

[witmicko]

Summary

Add @lavamoat/allow-scripts across the workspace to mitigate the risk of executing unexpected lifecycle scripts from transitive dependencies.
Lavamoat allow-scripts does not affect runtime. Lavamoat at runtime is a separate integration

Motivation

npm lifecycle scripts can run arbitrary code during install. @lavamoat/allow-scripts enforces an explicit allowlist so only vetted scripts execute, reducing supply‑chain attack surface.

What changed

• Add @lavamoat/allow-scripts at the root and wire it into installs.
• Generate and commit per‑package allowScripts allowlists via allow-scripts auto.
• No runtime code changes.

Security considerations

• Narrows the set of install-time scripts to an audited allowlist.

---

Note

Introduce @lavamoat/allow-scripts across the monorepo with per-package allowlists and ignore npm lifecycle scripts by default.

• Security/Tooling:
  • Add .npmrc with ignore-scripts=true to disable automatic lifecycle scripts.
  • Add @lavamoat/allow-scripts (and @lavamoat/preinstall-always-fail) at the root with lifecycle:run and lifecycle:scan scripts; set packageManager to pnpm.
  • Configure per-package allowlists via "lavamoat.allowScripts" in:
    • packages/linea-ccip-gateway, packages/linea-ens-app, packages/linea-ens-contracts, packages/linea-ens-resolver, packages/linea-ens-subgraph, packages/linea-state-verifier, packages/poh-signer-api.
  • Add LavaMoat devDependencies where needed across packages.
• No runtime code changes; lockfile updated accordingly.

^{Written by Cursor Bugbot for commit 2504609. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​lavamoat/​preinstall-always-fail@​2.1.1
	@​lavamoat/​allow-scripts@​3.4.0

View full report

[naugtur]

output from the can-i-ignore-scripts tool for this repo:

█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀█
  ▄▄·  ▄▄▄·  ▐ ▄    ▄     ▪    ▄▄     ▐ ▄       ▄▄▄   ▄▄▄      ▄▄▄▄·
 ▐█ ▌ ▐█ ▀█ ·█▌▐█   ██    ██  ▐█ ▀    █▌▐█      ▐▄ █· █  ▀·  .▀  .█▌
 ██ ▄▄▄█▀▀█ ▐█▐▐▌   ▐█·   ▐█· ▄█ ▀█▄ ▐█▐▐▌ ▄█▀▄ ▐▀▀▄ ▐█▀      ▄█▀▀▀·
 ▐███▌▐█ ▪▐▌██▐█▌   ▐█▌   ▐█▌ ▐█▄ ▐█ ██▐█▌▐█▌.▐▌▐▄ █▌▐█▄▄▄▌   ▀
 ·▀▀▀  ▀  ▀ ▀▀ █▪   ▀▀▀   ▀▀▀ ·▀▀▀▀  ▀▀ █▪ ▀█▄▀▪.▀  ▀ ▀▀▀     ▀

Looking in the following locations: 
  node_modules
  packages/poh-signer-api/node_modules
  packages/linea-state-verifier/node_modules
  packages/linea-ens-subgraph/node_modules
  packages/linea-ens-resolver/node_modules
  packages/linea-ens-app/node_modules
  packages/linea-ccip-gateway/node_modules

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Found following packages with scripts:
______________________________________________________________________ 
[ ignore ] '@lavamoat/preinstall-always-fail' has scripts but they can be ignored
           look it up: https://socket.dev/npm/package/@lavamoat/preinstall-always-fail/
           reason: exists to check if it's been ignored
______________________________________________________________________
[ check? ] 'napi-macros-example' needs reviewing (it seems to use gyp for building, so you might need it)
[
  {
    name: 'napi-macros-example',
    version: '0.0.0',
    scripts: { install: 'node-gyp-build' },
    path: 'packages/linea-ens-app/node_modules/ganache/node_modules/napi-macros/example/',
    info: 'https://socket.dev/npm/package/napi-macros-example/files/0.0.0/package.json'
  }
]
______________________________________________________________________
[ check? ] 'msw' needs reviewing 
[
  {
    name: 'msw',
    version: '1.3.3',
    scripts: {
      postinstall: `node -e "try{require('./config/scripts/postinstall')}catch(e){}"`
    },
    path: 'packages/linea-ens-app/node_modules/msw/',
    info: 'https://socket.dev/npm/package/msw/files/1.3.3/package.json'
  }
]
______________________________________________________________________
[ check? ] '@trufflesuite/bigint-buffer' needs reviewing (it seems to use gyp for building, so you might need it)
[
  {
    name: '@trufflesuite/bigint-buffer',
    version: '1.1.10',
    scripts: {
      install: `node-gyp-build || echo "Couldn't build bindings. Non-native version used."`
    },
    path: 'packages/linea-ens-app/node_modules/ganache/node_modules/@trufflesuite/bigint-buffer/',
    info: 'https://socket.dev/npm/package/@trufflesuite/bigint-buffer/files/1.1.10/package.json'
  }
]
______________________________________________________________________
[ check? ] '@nestjs/core' needs reviewing 
[
  {
    name: '@nestjs/core',
    version: '11.1.6',
    scripts: { postinstall: 'opencollective || exit 0' },
    path: 'packages/poh-signer-api/node_modules/@nestjs/core/',
    info: 'https://socket.dev/npm/package/@nestjs/core/files/11.1.6/package.json'
  }
]
______________________________________________________________________
[ check? ] '@ensdomains/ens-contracts' needs reviewing 
[
  {
    name: '@ensdomains/ens-contracts',
    version: '1.0.1',
    scripts: { postinstall: 'bunx patch-package' },
    path: 'packages/linea-ens-resolver/node_modules/@ensdomains/ens-contracts/',
    info: 'https://socket.dev/npm/package/@ensdomains/ens-contracts/files/1.0.1/package.json'
  }
]
______________________________________________________________________
[  keep  ] 'secp256k1' may need its scripts to run
           look it up: https://socket.dev/npm/package/secp256k1/
           reason: native addon built with gyp 
______________________________________________________________________
[  keep  ] 'leveldown' may need its scripts to run
           look it up: https://socket.dev/npm/package/leveldown/
           reason: native addon built with gyp 
______________________________________________________________________
[  keep  ] 'keccak' may need its scripts to run
           look it up: https://socket.dev/npm/package/keccak/
           reason: native addon built with gyp 
______________________________________________________________________
[  keep  ] 'canvas' may need its scripts to run
           look it up: https://socket.dev/npm/package/canvas/
           reason: native addon built with gyp 

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
What now?

Install @lavamoat/allow-scripts and use the info above to populate your allowlist.

______________________________________________________________________
npm i -g @lavamoat/allow-scripts
allow-scripts setup
allow-scripts auto
npm pkg set scripts.setup='npm ci && allow-scripts'
______________________________________________________________________

can-i-ignore-scripts will help populate the allow list if you run it again after that.


█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█

If you check some packages, contribute your findings on github.
  https://github.com/naugtur/can-i-ignore-scripts/blob/main/data.json

[alainncls]

Hey @witmicko
I see that the pipelines are failing, is it related to Lavamoat blocking some dependencies/scripts that are required?

[cursor]

Bug: Lavamoat Configuration Missing in Package

The linea-ens-contracts package adds Lavamoat dependencies but lacks the necessary lavamoat configuration in package.json. This omission means Lavamoat defaults to blocking all scripts, potentially causing build or installation failures if lifecycle scripts are required.