Skip to content

Upgrade Yarn to 4.10.0 and harden install-script / supply-chain config#457

Draft
Kabidoye-17 wants to merge 1 commit into
mainfrom
harden-yarn-fe-3497
Draft

Upgrade Yarn to 4.10.0 and harden install-script / supply-chain config#457
Kabidoye-17 wants to merge 1 commit into
mainfrom
harden-yarn-fe-3497

Conversation

@Kabidoye-17

Copy link
Copy Markdown

Why?

Propose bringing this repo's Yarn configuration up to a stronger supply-chain security baseline already adopted elsewhere in the org — disabling third-party install scripts by default, gating newly-published package versions behind a cooldown window, and restricting the auto-approved package scope. This is a proposal for the owning team to evaluate, not a decided path — the team may instead choose a different package manager entirely.

How?

Bump the vendored Yarn binary and packageManager field from 3.6.1 to 4.10.0 — required because the minimum-package-age and preapproved-package gates are silently ignored on older Yarn versions, so hardening without the version bump would look like protection while doing nothing. Add enableScripts: false, a package age gate, a scoped preapproved-package allowlist, and supportedArchitectures to .yarnrc.yml. Add a dependenciesMeta allowlist (built: true) for the handful of packages confirmed to need their install scripts — native driver/platform binaries for the example app's end-to-end test tooling — reconciled against Yarn's own "must be built" warnings from a pre-hardening install. The registry auth token is referenced via environment-variable interpolation, matching this repo's existing .npmrc pattern, rather than committed as plaintext.

Known gap: CI does not appear to currently inject the registry auth token as an environment variable anywhere in this repo's workflows. This will likely need resolving — confirming an existing secret can be wired in, or otherwise — before merge; flagging it here rather than treating it as already solved.

Not yet verified: a full end-to-end install with real registry credentials (only config parsing and dependency resolution were checked locally), and native iOS/Android build behavior under enableScripts: false beyond the example app's test-tooling dependencies.

Generated with Claude Code

Brings intercom-react-native in line with the intercom-js / marketing-site-static
Yarn 4 hardening profile (enableScripts: false, npmMinimalAgeGate,
npmPreapprovedPackages, Socket Firewall registry routing).

npmMinimalAgeGate and npmPreapprovedPackages require Yarn >= 4.10.0 - on the
prior 3.6.1 they would be silently ignored, so the version bump and hardening
config land together.

dependenciesMeta allowlists chromedriver/geckodriver/edgedriver/esbuild
(built: true) in examples/example, reconciled against Yarn's own
"must be built" warnings from a pre-hardening install - these packages
download native driver/platform binaries at install time and would silently
stop working under enableScripts: false otherwise.

Unlike the two prior hardened repos, the Socket Firewall auth token is
referenced via ${SOCKET_FIREWALL_NPM_TOKEN} env-var interpolation (matching
this repo's existing .npmrc pattern) rather than committed in plaintext.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant