Upgrade Yarn to 4.10.0 and harden install-script / supply-chain config#457
Draft
Kabidoye-17 wants to merge 1 commit into
Draft
Upgrade Yarn to 4.10.0 and harden install-script / supply-chain config#457Kabidoye-17 wants to merge 1 commit into
Kabidoye-17 wants to merge 1 commit into
Conversation
Brings intercom-react-native in line with the intercom-js / marketing-site-static
Yarn 4 hardening profile (enableScripts: false, npmMinimalAgeGate,
npmPreapprovedPackages, Socket Firewall registry routing).
npmMinimalAgeGate and npmPreapprovedPackages require Yarn >= 4.10.0 - on the
prior 3.6.1 they would be silently ignored, so the version bump and hardening
config land together.
dependenciesMeta allowlists chromedriver/geckodriver/edgedriver/esbuild
(built: true) in examples/example, reconciled against Yarn's own
"must be built" warnings from a pre-hardening install - these packages
download native driver/platform binaries at install time and would silently
stop working under enableScripts: false otherwise.
Unlike the two prior hardened repos, the Socket Firewall auth token is
referenced via ${SOCKET_FIREWALL_NPM_TOKEN} env-var interpolation (matching
this repo's existing .npmrc pattern) rather than committed in plaintext.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why?
Propose bringing this repo's Yarn configuration up to a stronger supply-chain security baseline already adopted elsewhere in the org — disabling third-party install scripts by default, gating newly-published package versions behind a cooldown window, and restricting the auto-approved package scope. This is a proposal for the owning team to evaluate, not a decided path — the team may instead choose a different package manager entirely.
How?
Bump the vendored Yarn binary and
packageManagerfield from 3.6.1 to 4.10.0 — required because the minimum-package-age and preapproved-package gates are silently ignored on older Yarn versions, so hardening without the version bump would look like protection while doing nothing. AddenableScripts: false, a package age gate, a scoped preapproved-package allowlist, andsupportedArchitecturesto.yarnrc.yml. Add adependenciesMetaallowlist (built: true) for the handful of packages confirmed to need their install scripts — native driver/platform binaries for the example app's end-to-end test tooling — reconciled against Yarn's own "must be built" warnings from a pre-hardening install. The registry auth token is referenced via environment-variable interpolation, matching this repo's existing.npmrcpattern, rather than committed as plaintext.Known gap: CI does not appear to currently inject the registry auth token as an environment variable anywhere in this repo's workflows. This will likely need resolving — confirming an existing secret can be wired in, or otherwise — before merge; flagging it here rather than treating it as already solved.
Not yet verified: a full end-to-end install with real registry credentials (only config parsing and dependency resolution were checked locally), and native iOS/Android build behavior under
enableScripts: falsebeyond the example app's test-tooling dependencies.Generated with Claude Code