feat: webpack lavamoat node

.github/workflows/update-lavamoat-policies.yml

@@ -236,6 +236,43 @@ jobs:
           path: lavamoat/webpack/mv3
           key: cache-webpack-${{ needs.prepare.outputs.COMMIT_SHA }}
 
+  update-lavamoat-webpack-policy-build:
+    name: Update LavaMoat webpack build policy
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    needs:
+      - prepare
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Checkout pull request
+        run: gh pr checkout "${PR_NUMBER}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          skip-allow-scripts: true
+          use-yarn-hydrate: true
+
+      - name: Update LavaMoat webpack build policy
+        run: yarn webpack:lavamoat --writeAutoPolicy
+        env:
+          INFURA_PROD_PROJECT_ID: 00000000000
+          SEGMENT_PROD_WRITE_KEY: 00000000000
+          GOOGLE_PROD_CLIENT_ID: 00000000000
+          APPLE_PROD_CLIENT_ID: 00000000000
+
+      - name: Cache webpack policy
+        uses: actions/cache/save@v4
+        with:
+          path: lavamoat/webpack/build
+          key: cache-webpack-build-${{ needs.prepare.outputs.COMMIT_SHA }}
+
   commit-updated-policies:
     name: Commit the updated LavaMoat policies
     runs-on: ubuntu-latest
@@ -247,6 +284,7 @@ jobs:
       - update-lavamoat-webapp-policy
       - update-lavamoat-webpack-policy-mv2
       - update-lavamoat-webpack-policy
+      - update-lavamoat-webpack-policy-build
     # Ensure forks don't get access to the LavaMoat update token
     if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
     steps:
@@ -318,6 +356,13 @@ jobs:
           key: cache-webpack-${{ needs.prepare.outputs.COMMIT_SHA }}
           fail-on-cache-miss: true
 
+      - name: Restore webpack build policy
+        uses: actions/cache/restore@v4
+        with:
+          path: lavamoat/webpack/build
+          key: cache-webpack-build-${{ needs.prepare.outputs.COMMIT_SHA }}
+          fail-on-cache-miss: true
+
       - name: Check whether there are policy changes
         id: policy-changes
         run: |

.github/workflows/validate-lavamoat-policies.yml

@@ -124,3 +124,30 @@ jobs:
               echo "::error::Working tree dirty."
               exit 1
           fi
+
+  validate-lavamoat-policy-webpack-build:
+    name: Validate LavaMoat webpack build policy
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          skip-allow-scripts: true
+          use-yarn-hydrate: true
+
+      - name: Validate LavaMoat webpack build policy
+        run: yarn webpack:lavamoat --writeAutoPolicy
+        env:
+          INFURA_PROD_PROJECT_ID: 00000000000
+          SEGMENT_PROD_WRITE_KEY: 00000000000
+          GOOGLE_PROD_CLIENT_ID: 00000000000
+          APPLE_PROD_CLIENT_ID: 00000000000
+
+      - name: Check working tree
+        run: |
+          if ! git diff --exit-code; then
+              echo "::error::Working tree dirty."
+              exit 1
+          fi

.gitignore

@@ -96,3 +96,6 @@ html-report-multichain/
 
 # UI Integration tests
 test/integration/config/assets
+
+# webpack
+.webpack

.yarn/patches/lavamoat-npm-10.0.0-9a132772a6.patch

@@ -0,0 +1,14 @@
+diff --git a/src/parseForPolicy.js b/src/parseForPolicy.js
+index 7323cfedd5876fef5428c50313880e0cc68ef31b..7d5007c9b07eb3cdae047d008eab22f0f7025cfe 100644
+--- a/src/parseForPolicy.js
++++ b/src/parseForPolicy.js
+@@ -21,7 +21,8 @@ const { checkForResolutionOverride } = require('./resolutions')
+
+ // file extension omitted can be omitted, eg https://npmfs.com/package/yargs/17.0.1/yargs
+ const commonjsExtensions = ['', '.js', '.cjs']
+-const resolutionOmittedExtensions = ['.js', '.json']
++// extensions we want to give to the resolver that it omits by default. .js is here duplicated for our own sanity mostly.
++const resolutionOmittedExtensions = ['.js', '.cjs', '.json']
+
+ /**
+  * Allow use of `node:` prefixed builtins.

development/webpack/launch.ts

@@ -27,7 +27,7 @@ const args = parser(rawArgv, { alias, boolean: Object.keys(alias) }) as Args;
 if (args.cache === false || args.help === true || args.watch === true) {
   // there are no time savings to running the build in a child process if: the
   // cache is disabled, we need to output "help", or we're in watch mode.
-  require('./build.ts').build();
+  require('./build').build();
 } else {
   fork(process, join(__dirname, 'fork.mts'), rawArgv);
 }