Yarn Berry: Fixes subdependency security updates#5930
Merged
Conversation
pavera
force-pushed
the
pavera/yarn-berry-fix-subdeb-security
branch
from
4b898d9 to
d242422
Compare
1 task
pavera
force-pushed
the
pavera/yarn-berry-fix-subdeb-security
branch
from
d242422 to
96575ee
Compare
pavera
force-pushed
the
pavera/yarn-berry-fix-subdeb-security
branch
from
96575ee to
c4221a0
Compare
Closed
1 task
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Version resolution for security updates was broken for yarn berry if there were any packages sourced from private registries, even if the private registry was correctly configured. Previously we were not performing version resolution with yarn berry for security updates, this still worked as long as yarn 1 could talk to all of the necessary registries.
Approach
This PR adds specific version resolution calls for yarn berry to the subdependency version resolver so that it doesn't attempt to use yarn 1 when performing this resolution.
Ongoing
This still requires that any package mentioned in yarn.lock or package.json is reachable by Dependabot. This means if there are packages sourced from private registries and Dependabot does not have access to those registries due to lack of configuration or incorrect configuration, a subdependency security update will still fail.