Adds approvedGitRepositories#7091
Merged
Merged
Conversation
|
@arcanis Is this not a breaking change? |
Member
Author
|
No, since existing projects will be automatically migrated in their yarnrc to explicitly allow all repositories. Then can then remove that setting at their own pace. |
13 tasks
nwalters512
added a commit
to PrairieLearn/PrairieLearn
that referenced
this pull request
May 11, 2026
Upgrades Yarn 4.12.0 β 4.14.1 and adds two additional supply-chain defenses to .yarnrc.yml: - `approvedGitRepositories: []` blocks any transitive (or direct) `git:`/`github:` dependency unless its repository URL matches a glob in the allowlist. Closes the gap noted in yarnpkg/berry#7091 where `enableScripts: false` is bypassed by `git:` deps (they always run pack/prepare scripts during fetch). This is the exact attack vector used in the @tanstack/router npm compromise. - `npmMinimalAgeGate: 3d` refuses to install npm versions younger than three days. Reduces exposure during fast-moving supply-chain incidents where bad releases are published and unpublished within hours. Available since Yarn 4.10.0. Verified with a clean install (`yarn install --immutable` succeeds) and end-to-end smoke checks for sharp, esbuild, @parcel/watcher, and the htmlmustache CLI. Confirmed via a sandboxed `yarn add` that the new settings actually fire: - `yarn add foo@github:...` β blocked with "doesn't match any of the patterns in 'approvedGitRepositories'" - With age gate set high, a published version is rejected as "quarantined, and no lower version is available" The lockfile metadata version bumps from 8 to 9 as part of the Yarn upgrade.
1 task
reteps
pushed a commit
to grrhendra/PrairieLearn
that referenced
this pull request
May 13, 2026
* Disable lifecycle scripts for third-party dependencies Adds `enableScripts: false` to .yarnrc.yml so that preinstall/install/ postinstall scripts from third-party dependencies no longer run during `yarn install`. This blocks the supply-chain attack vector recently exploited against several npm packages (see TanStack/router#7383), where a compromised package executes arbitrary code via a lifecycle script. Workspace scripts still run normally. None of our current dependencies need their install scripts on supported platforms β native modules (sharp, esbuild, @parcel/watcher, unrs-resolver, etc.) ship platform- specific prebuilt binaries via optionalDependencies and resolve them at runtime, so no allowlist entries are required. If a future dep does need scripts, opt it in via `dependenciesMeta.<pkg>.built: true` in package.json. * Add approvedGitRepositories and npmMinimalAgeGate Upgrades Yarn 4.12.0 β 4.14.1 and adds two additional supply-chain defenses to .yarnrc.yml: - `approvedGitRepositories: []` blocks any transitive (or direct) `git:`/`github:` dependency unless its repository URL matches a glob in the allowlist. Closes the gap noted in yarnpkg/berry#7091 where `enableScripts: false` is bypassed by `git:` deps (they always run pack/prepare scripts during fetch). This is the exact attack vector used in the @tanstack/router npm compromise. - `npmMinimalAgeGate: 3d` refuses to install npm versions younger than three days. Reduces exposure during fast-moving supply-chain incidents where bad releases are published and unpublished within hours. Available since Yarn 4.10.0. Verified with a clean install (`yarn install --immutable` succeeds) and end-to-end smoke checks for sharp, esbuild, @parcel/watcher, and the htmlmustache CLI. Confirmed via a sandboxed `yarn add` that the new settings actually fire: - `yarn add foo@github:...` β blocked with "doesn't match any of the patterns in 'approvedGitRepositories'" - With age gate set high, a published version is rejected as "quarantined, and no lower version is available" The lockfile metadata version bumps from 8 to 9 as part of the Yarn upgrade. * Generalize comments in .yarnrc.yml Drops the @tanstack/router-specific incident reference in favor of a generic description of what each setting blocks. The settings stand on their own without needing to cite a particular CVE.
3 tasks
arcanis
added a commit
that referenced
this pull request
May 18, 2026
<!-- IMPORTANT: While Yarn 4.x is still actively developed we're now focusing work on our next major releases (5.x and 6.x). These sister releases use the same pattern as TypeScript-Go: - 5.x will only contain a handful of breaking changes to provide a safe migration path. - 6.x will be the "true" release, notable for being implemented in Rust and including a significantly improved core. While PRs can still be opened against 4.x, we recommend power users to try Yarn 6.x now and help us get it over the finish line. It uses the same testsuite as Berry, so compatibility should be at its best. To check out the working trunk for Yarn 6.x, please refer to this repository: https://github.com/yarnpkg/zpm --> ## What's the problem this PR addresses? <!-- Describe the rationale of your PR. --> <!-- Link all issues that it closes. (Closes/Resolves #xxxx.) --> The rate at which supply chain attacks occur is growing, and given that we can't rely on the npm registry for good practices it means we need to become stricter to protect our users. ## How did you fix it? <!-- A detailed description of your implementation. --> The `npmMinimalAgeGate` settings will now default to `1d`. Following the same pattern as in previous PRs (#7089, #7091) it will apply to all new projects, and the configuration of existing projects will be patched when upgrading their Yarn version to hardcode the previous defaults until users can ensure their projects are compatible with the new ones. ## Checklist <!--- Don't worry if you miss something, chores are automatically tested. --> <!--- This checklist exists to help you remember doing the chores when you submit a PR. --> <!--- Put an `x` in all the boxes that apply. --> - [x] I have read the [Contributing Guide](https://yarnpkg.com/advanced/contributing). <!-- See https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released for more details. --> <!-- Check with `yarn version check` and fix with `yarn version check -i` --> - [x] I have set the packages that need to be released for my changes to be effective. <!-- The "Testing chores" workflow validates that your PR follows our guidelines. --> <!-- If it doesn't pass, click on it to see details as to what your PR might be missing. --> - [x] I will check that all automated PR checks pass before the PR gets reviewed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's the problem this PR addresses?
The
enableScriptsflag doesn't affectgit:dependencies, which always runs thepackscript for whatever package manager the project is using.How did you fix it?
To avoid running arbitrary code through the
git:protocol we're introducing a new setting calledapprovedGitRepositories. This list of glob will validate the repository urls we clone.Checklist