chore(yarn): disable install scripts and allowlist required builds

oliverlaz · oliverlaz · commit b374931d8060 · 2026-05-13T12:01:05.000+02:00
Set `enableScripts: false` so dependency build scripts no longer run
implicitly during `yarn install`. This closes the largest
supply-chain hole: a compromised transitive dependency can no longer
execute code on every developer / CI install.

Add a `dependenciesMeta` allowlist in root package.json that
re-enables build scripts for the four packages this monorepo
actually needs to compile:

- @swc/core         -- native binary, used by i18next-cli (yarn build)
- better-sqlite3    -- native binding, used by the SDK's tests
- react-native-nitro-modules -- RN native module used by SampleApp
- unrs-resolver     -- native resolver binary, used by jest-resolve

Four other packages still print "lists build scripts, but all build
scripts have been disabled" warnings on install. They are
intentionally not allowlisted:

- @firebase/util    -- internal type-generation script, ship-time
- es5-ext           -- author advertisement postinstall
- hyochan-welcome   -- "welcome" advertisement postinstall
- protobufjs        -- proto compilation, not needed for pre-built
                       package on npm

The core SDK workspace's own `postinstall` (husky install +
shared-native sync) continues to fire -- `enableScripts: false`
gates dependency install scripts, not workspace lifecycle scripts.

Verified `yarn install --immutable`, `yarn lint`, and `yarn build`
all pass with the allowlist in place.
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -5,7 +5,7 @@ enableGlobalCache: true
 
 enableHardenedMode: true
 
-enableScripts: true
+enableScripts: false
 
 enableTelemetry: false
 
diff --git a/package.json b/package.json
@@ -14,6 +14,20 @@
     "prettier": "3.5.3",
     "react-native-keyboard-controller": "1.20.2"
   },
+  "dependenciesMeta": {
+    "@swc/core": {
+      "built": true
+    },
+    "better-sqlite3": {
+      "built": true
+    },
+    "react-native-nitro-modules": {
+      "built": true
+    },
+    "unrs-resolver": {
+      "built": true
+    }
+  },
   "repository": {
     "type": "git",
     "url": "https://github.com/GetStream/stream-chat-react-native.git"
diff --git a/yarn.lock b/yarn.lock
@@ -21925,6 +21925,15 @@ __metadata:
     prettier: "npm:^3.5.1"
     semantic-release: "npm:^25.0.2"
     uglify-js: "npm:^3.19.2"
+  dependenciesMeta:
+    "@swc/core":
+      built: true
+    better-sqlite3:
+      built: true
+    react-native-nitro-modules:
+      built: true
+    unrs-resolver:
+      built: true
   languageName: unknown
   linkType: soft
 
