Skip to content

chore: bump Yarn to 4.15.0 and harden install config#965

Merged
layershifter merged 3 commits into
microsoft:mainfrom
layershifter:chore/bump-yarn-and-supply-chain-hardening
May 22, 2026
Merged

chore: bump Yarn to 4.15.0 and harden install config#965
layershifter merged 3 commits into
microsoft:mainfrom
layershifter:chore/bump-yarn-and-supply-chain-hardening

Conversation

@layershifter
Copy link
Copy Markdown
Member

@layershifter layershifter commented May 22, 2026

Summary

  • Bumps Yarn from 4.3.1 → 4.15.0 (latest v4 stable).
  • Adds enableScripts: false so dependency lifecycle scripts (preinstall / install / postinstall) don't run during installs, reducing supply-chain attack surface from compromised packages.
  • Adds npmMinimalAgeGate: "1d" so packages must be at least 1 day old before they can be installed, providing a short cooldown against typosquatting and hijacked-release attacks.

Test plan

  • CI passes (yarn install, build, tests)

🤖 Generated with Claude Code

@layershifter @claude
chore: bump Yarn to 4.15.0 and harden install config
a84fa99 
- Bump Yarn from 4.3.1 to 4.15.0 (latest v4 stable)
- Add enableScripts: false to skip dependency lifecycle scripts
- Add npmMinimalAgeGate: "1d" to require packages be at least 1 day old

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@layershifter layershifter requested a review from a team as a code owner May 22, 2026 11:41
layershifter and others added 2 commits May 22, 2026 14:01
@layershifter @claude
chore: regenerate lockfile for Yarn 4.15
28ece50 
- Bumps lockfile cacheKey 8 -> 10 (required because `yarn install
  --immutable` in CI refuses to migrate the lockfile on its own).
- Yarn 4.15 also auto-added `approvedGitRepositories: ["**"]` to
  .yarnrc.yml as part of its hardened-mode safelist for git deps;
  `["**"]` preserves existing behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@layershifter @claude
chore: drop yarn-auto-added approvedGitRepositories
fd07535 
Yarn 4.15 auto-injected approvedGitRepositories: ["**"] during install,
but the repo has no git: protocol deps. Removing keeps the hardened
default (no arbitrary git URL installs allowed).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@layershifter layershifter enabled auto-merge (squash) May 22, 2026 12:10
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 22, 2026
edited
Loading

📊 Bundle size report

✅ No changes found

@layershifter layershifter merged commit daadc68 into microsoft:main May 22, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mshoho mshoho mshoho approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@layershifter @mshoho