Skip to content

[Chore] Harden .yarnrc.yml: scope install scripts to an explicit allowlist#1322

Merged
marshacb merged 1 commit into
mainnetfrom
chore/harden-yarnrc-install-scripts
May 21, 2026
Merged

[Chore] Harden .yarnrc.yml: scope install scripts to an explicit allowlist#1322
marshacb merged 1 commit into
mainnetfrom
chore/harden-yarnrc-install-scripts

Conversation

@marshacb

@marshacb marshacb commented May 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Motivation

Hardens the repo's Yarn supply chain config so dependency install scripts no
longer run by default:

  • .yarnrc.yml: sets enableScripts: false, so Yarn no longer runs
    postinstall/build scripts from arbitrary dependencies.
  • package.json: adds a dependenciesMeta allowlist (built: true) for
    the packages that genuinely need install/build scripts: @swc/core,
    esbuild, sharp, wasm-pack.
  • .yarnrc.yml: removes approvedGitRepositories: ["**"], which
    auto-approves any git hosted dependency. The tree has no git hosted
    dependencies, so this is dead permissive config.
  • yarn.lock: records the allowlist in the workspace entry (a consequence
    of dependenciesMeta, required for --immutable installs).

Why

By default Yarn executes arbitrary postinstall scripts from every package in
the dependency tree. A single compromised dependency can run code on dev
machines and CI at install time. enableScripts: false makes that opt-in:
only allowlisted packages can run scripts.

Verified under Berry

Rebased onto mainnet after the Yarn Berry migration (#1323). On a clean
install (all node_modules removed) with enableScripts: false:

  • Only the 4 allowlisted packages run build scripts; everything else is
    skipped (e.g. core-js's funding banner postinstall no longer runs).
  • yarn install --immutable passes.
  • yarn build:all is green, confirming the allowlist is complete.
  • yarn test:sdk: 976 passing. The 17 failures are preexisting local env
    issues (missing CI secrets / no network), identical to before this change,
    so no regressions.

Note

Medium Risk
Moderate risk because it changes Yarn install-time behavior: dependencies’ build/postinstall scripts will no longer run unless allowlisted, which can break installs/builds in dev/CI if the allowlist is incomplete.

Overview
Hardens Yarn supply chain settings by setting .yarnrc.yml to enableScripts: false (and removing the permissive approvedGitRepositories setting), so dependency install/build scripts no longer run by default.

Adds a dependenciesMeta allowlist in package.json (and corresponding yarn.lock metadata) marking @swc/core, esbuild, sharp, and wasm-pack as built: true so only these packages can run required build steps under Yarn Berry.

Reviewed by Cursor Bugbot for commit 240e705. Bugbot is set up for automated code reviews on this repo. Configure here.

@marshacb marshacb marked this pull request as draft May 20, 2026 17:42
@marshacb marshacb mentioned this pull request May 20, 2026
Merged
@marshacb marshacb marked this pull request as ready for review May 20, 2026 20:41
@marshacb marshacb force-pushed the chore/harden-yarnrc-install-scripts branch from 18e3944 to 240e705 Compare May 21, 2026 20:57
@marshacb marshacb merged commit 8edb132 into mainnet May 21, 2026
29 checks passed
@marshacb marshacb deleted the chore/harden-yarnrc-install-scripts branch May 21, 2026 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iamalwaysuncomfortable iamalwaysuncomfortable iamalwaysuncomfortable approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marshacb @iamalwaysuncomfortable