Question: Hold up--is that a security threat? Couldn't someone, say, inject some malicious code into one of your dependencies, take hold of your system, and steal all your user's data?
Traditional Web Developer: Well, I guess, but we're using really secure authentication systems. Besides, there's no real value held in our app itself. No one would go through the effort of orchestrating a supply chain attack into open source code just to get at our app.
Blockchain Developer: Oh... Oh no.
Supply chain security is a real concern in web3. We're building in the open, like so many in modern software development do. But with projects like MetaMask, we're building at scale, too; it's just not feasible to perform manual dependency audits every time (although the MetaMask team does include regular manual audits).
Here's the LavaMoat launch blog post, which breaks it down a little more.
Watch how you handle those iframes
Not content with fixing this security problem, MetaMask's security researchers have moved on to another attack vector which has long haunted the Web: iframes. Check out the work they're doing with SNOW (Securing Nested Ownership of Windows):
While the project is still experimental, the instructions to install it are available here.