alt Hacker NewsYarn is unfortunately a dead-end security-wise under current maintainership.
If you are still on yarn v1 I suggest being consistent with '--ignore-scripts --frozen-lockfile' and run any necessary lifecycle scripts for dependencies yourself. There is @lavamoat/allow-scripts to manage this if your project warrants it.
If you are on newer yarn versions I strongly encourage to migrate off to either pnpm or npm.
newer yarn versions are _less_ secure than the ancient/abandoned yarn 1? :(
Any links for further reading on security problems "under current maintainership"?