Replies: 2 comments
-
|
I just opened a PR #1184 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Thanks for this @Ariiellus Just letting you know that we are taking a look at #1184 internally. Will share our findings there. gracias amigo! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Motivation
In September alone, there have been multipe supply chain attacks targeting NPM packages.
To mitigate these risks, Yarn recently introduced in their [release 4.10.0] (https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg%2Fcli%2F4.10.0) a time-based safeguard (
npmMinimalAgeGate) to delay the installation of the latest published versions, giving security researchers time to detect and report malicious packages.Proposal
Upgrade the project to Yarn v4.10.3 (latest stable version) and enable
npmMinimalAgeGate. This adds a delay before installing freshly published packages, reducing the attack surface for developers.Suggested configuration:
This ensures a safer default window for identifying malicious packages without disrupting normal development workflows.
Manual Testing
Steps to validate locally:
yarn set version 4.10.3This updates
package.json,.yarnrc.ymland.yarn/releases/filesUpdate manually
packages/nextsjs/package.jsonto reference the new Yarn version.Add the following to .yarnrc.yml:
yarn installThis change should not impact the current SE2 devflow and provides an additional security layer for developers.
Beta Was this translation helpful? Give feedback.
All reactions