If you mean during development - you can opt out of using lavamoat in development for your webpack bundle (I'm assuming you're not running your untested code on valuable data)

▲

cluckindan 3 days ago | parent [-]

Well, that’s not exactly reassuring. Having a very different runtime environment in production is grounds for hard to debug issues.

Is it possible to generate the allowlist at development time without having the webpack plugin loaded? If it’s only generated at build time, it won’t protect against malicious packages getting installed in CI just before the build happens.

	▲	naugtur 3 days ago \| parent [-]
		You need to juggle two builds - one while you're iterating rapidly and another when you're near start and finish of the increment. Not a lot of work compared to auditing a thousand packages. Try it and see. There's tradeoffs but if you roll it out, it is very powerful.