Skip to content

Fix viz#984

Merged
legobeat merged 8 commits intoLavaMoat:mainfrom
legobeat:fix-viz
Feb 28, 2024
Merged

Fix viz#984
legobeat merged 8 commits intoLavaMoat:mainfrom
legobeat:fix-viz

Conversation

@legobeat
Copy link
Copy Markdown
Collaborator

@legobeat legobeat commented Jan 31, 2024
edited
Loading

The viz package seems to not have been working properly since 6.2.0/6.0.12 (2023-09). This addresses regressions and should make it run as expected.

  • Revert webpack 5 upgrade (viz/devDeps: webpack@4->5 #591) and associated plugins
    • Revert changes in packages/viz from the following commits:
    • Would be nice to actually do the webpack 5 upgrade but I got blocked on React not being resolved properly inside react-force-graph-3d>react-kapsule.
  • Force UMD resolution for force-graph packages
    • This has become necessary after recent upgrades to these dependencies. A more correct/proper solution to reconfiguration likely exists.
  • Import policies directly through <script> tag in html by templating index.html at runtime
    • Fixes compatibility with modern Firefox when run from local filesystem. Previous implementation didn't load due to CORS.
    • Rename index.html to index.html.template for clarity
    • This replaces generated injectConfigDebugData.js
  • Stop distributing example policies and associated files from distributed
    • These make up ~100MB and I found their apparently mixed purpose confusing. If an example on npm registry is desired it can be distributed as a separate package like @lavamoat/viz-examples
  • Remove package script start and devDependency webpack-dev-server
    • The script does not work OotB for some time now any way: it doesn't detect the hoisted webpack-cli

This will be followed up with a PR for the usage of viz in metamask-extension (which from what I can tell has been broken independently since 2021)

@github-actions github-actions Bot added dependencies Pull requests that update a dependency file pkg:lavamoat-viz Changes in package lavamoat-viz pkg:lavamoat-browserify Changes in package lavamoat-browserify labels Jan 31, 2024
@legobeat legobeat requested review from boneskull and kumavis January 31, 2024 18:46
@legobeat legobeat marked this pull request as ready for review January 31, 2024 18:52
@legobeat legobeat requested a review from a team as a code owner January 31, 2024 18:52
@legobeat legobeat added the bug Something isn't working label Jan 31, 2024
@boneskull
Copy link
Copy Markdown
Member

boneskull commented Jan 31, 2024

I'm sure you know this, but the downgrade introduces vulnerable deps. Mitigating these was the goal of upgrading in the first place

boneskull
boneskull reviewed Jan 31, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@boneskull boneskull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I can confirm npm run build works (with warnings), and the generated dist/index.html runs successfully in a browser.
  • npm start is broken due to an invalid configuration option, seemingly.

What is our plan to mitigate the re-introduced vulnerable dependencies?

If we cannot get Webpack v5 working--which would mitigate the dependency issues--we should archive this project.

cc @naugtur @kumavis

Comment thread packages/viz/package.json Outdated
Comment thread packages/viz/src/webpack.config.js Outdated
@legobeat legobeat mentioned this pull request Jan 31, 2024
Merged
13 tasks
@legobeat
Copy link
Copy Markdown
Collaborator Author

legobeat commented Jan 31, 2024

@legobeat legobeat force-pushed the fix-viz branch 2 times, most recently from 7ae3a4c to 575ee51 Compare January 31, 2024 22:13
@legobeat legobeat requested a review from boneskull January 31, 2024 22:40
@legobeat legobeat mentioned this pull request Jan 31, 2024
Merged
1 task
@legobeat legobeat requested a review from a team February 1, 2024 10:26
@legobeat legobeat force-pushed the fix-viz branch 4 times, most recently from e32aac7 to 72e011c Compare February 6, 2024 13:03
@boneskull boneskull mentioned this pull request Feb 6, 2024
Merged
@legobeat legobeat force-pushed the fix-viz branch 2 times, most recently from f2e768c to 0dc3fdf Compare February 7, 2024 12:37
@legobeat legobeat removed the pkg:lavamoat-browserify Changes in package lavamoat-browserify label Feb 7, 2024
@naugtur
Copy link
Copy Markdown
Member

naugtur commented Feb 15, 2024

(nitpick) this being in a fork is getting in the way

@legobeat legobeat force-pushed the fix-viz branch 2 times, most recently from 8fd05ba to 51a3eca Compare February 20, 2024 04:28
@legobeat legobeat mentioned this pull request Feb 23, 2024
Merged
1 task
@legobeat legobeat force-pushed the fix-viz branch 5 times, most recently from a72fdbc to 2617c52 Compare February 28, 2024 06:10
@naugtur
Copy link
Copy Markdown
Member

naugtur commented Feb 28, 2024

Could retarget to https://github.com/boneskull/LavaMoat/tree/viz-only

@legobeat legobeat merged commit 7ea6ede into LavaMoat:main Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@naugtur naugtur naugtur approved these changes

@kumavis kumavis Awaiting requested review from kumavis

@boneskull boneskull Awaiting requested review from boneskull boneskull is a code owner

Assignees

@legobeat legobeat

Labels

bug Something isn't working dependencies Pull requests that update a dependency file pkg:lavamoat-viz Changes in package lavamoat-viz

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@legobeat @boneskull @naugtur