Add @lavamoat/allow-scripts

We now have an allowlist for all post-install scripts. The standard `setup` script has been added, along with new contributor documentation in the README to explain this script.
MetaMask · Sep 16, 2021 · 28d5c8b · 28d5c8b
1 parent a7469ec
commit 28d5c8b
Show file tree

Hide file tree

Showing 5 changed files with 721 additions and 9 deletions.
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -30,6 +30,7 @@ jobs:
           path: ${{ steps.yarn-cache-dir.outputs.YARN_CACHE_DIR }}
           key: yarn-cache-${{ runner.os }}-${{ steps.yarn-version.outputs.YARN_VERSION }}-${{ hashFiles('yarn.lock') }}
       - run: yarn --frozen-lockfile
+      - run: yarn allow-scripts
       - run: yarn lint
       - run: yarn test
   all-jobs-pass:

diff --git a/.yarnrc b/.yarnrc
@@ -0,0 +1 @@
+ignore-scripts true
diff --git a/README.md b/README.md
@@ -65,3 +65,18 @@ The `eth_sign` method will receive the incoming data, alread hashed, and must si
 
 Exports the specified account as a private key hex string.
 
+## Contributing
+
+### Setup
+
+- Install [Node.js](https://nodejs.org) version 12
+  - If you are using [nvm](https://github.com/creationix/nvm#installation) (recommended) running `nvm use` will automatically choose the right node version for you.
+- Install [Yarn v1](https://yarnpkg.com/en/docs/install)
+- Run `yarn setup` to install dependencies and run any requried post-install scripts
+  - **Warning:** Do not use the `yarn` / `yarn install` command directly. Use `yarn setup` instead. The normal install command will skip required post-install scripts, leaving your development environment in an invalid state.
+
+### Testing and Linting
+
+Run `yarn test` to run the tests once. To run tests on file changes, run `yarn test:watch`.
+
+Run `yarn lint` to run the linter, or run `yarn lint:fix` to run the linter and fix any automatically fixable issues.
diff --git a/package.json b/package.json
@@ -7,6 +7,7 @@
   },
   "main": "index.js",
   "scripts": {
+    "setup": "yarn install && yarn allow-scripts",
     "lint": "eslint . --ext .js",
     "lint:fix": "eslint --fix . --ext .js",
     "test": "mocha"
@@ -33,11 +34,19 @@
     "ethereumjs-wallet": "^1.0.1"
   },
   "devDependencies": {
+    "@lavamoat/allow-scripts": "^1.0.6",
     "@metamask/eslint-config": "^4.0.0",
     "eslint": "^7.7.0",
     "eslint-plugin-import": "^2.22.0",
     "eslint-plugin-mocha": "^8.0.0",
     "eslint-plugin-node": "^11.1.0",
     "mocha": "^8.1.3"
+  },
+  "lavamoat": {
+    "allowScripts": {
+      "@lavamoat/preinstall-always-fail": false,
+      "keccak": false,
+      "secp256k1": false
+    }
   }
 }