alt Hacker NewsGot any pointers on how to configure this for yarn? I'm not turning anything up in the yarn documentation or in my random google searches.
npm still seems to be debating whether they even want to do it. One of many reasons I ditched npm for yarn years ago (though the initial impetus was npm's confused and constantly changing behaviors around peer dependencies)
Replies
madeofpalk • last Sunday at 7:27 PM
enableScripts: false in .yarnrc.yml https://yarnpkg.com/configuration/yarnrc#enableScripts
And then opt certain packages back in with dependenciesMeta in package.json https://yarnpkg.com/configuration/manifest#dependenciesMeta....
Yarn is unfortunately a dead-end security-wise under current maintainership.
If you are still on yarn v1 I suggest being consistent with '--ignore-scripts --frozen-lockfile' and run any necessary lifecycle scripts for dependencies yourself. There is @lavamoat/allow-scripts to manage this if your project warrants it.
If you are on newer yarn versions I strongly encourage to migrate off to either pnpm or npm.