Skip to content

Upgrade yarn version #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
technophile-04 wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Upgrade yarn version #1211

technophile-04 wants to merge 9 commits into from

Conversation

@technophile-04
Copy link
Collaborator

@technophile-04 technophile-04 commented Dec 5, 2025
edited
Loading

Description

Ran:

yarn set version berry
yarn install

The #1184 seems way too old. Also, I'm not sure what commands they used to migrate because there are some files that need to be added which were not present.

TODO:

Research about npmMinimalAgeGate and see whats the best and standard people are using and add it

technophile-04
technophile-04 commented Dec 5, 2025
View reviewed changes
@technophile-04 technophile-04 mentioned this pull request Dec 8, 2025
Closed
2 tasks
@rin-st
Copy link
Member

rin-st commented Dec 8, 2025

Research about npmMinimalAgeGate and see whats the best and standard people are using and add it

Since we're not in a hurry most of the time, I think it's ok to use "7d", it should be enough to prevent most of the supply chain attacks. And use npmPreapprovedPackages for burner-connector and similar cases

@carletex
Copy link
Member

carletex commented Dec 9, 2025

Since we're not in a hurry most of the time, I think it's ok to use "7d", it should be enough to prevent most of the supply chain attacks.

We also have to think about the opposite side of this. When you want to update to a safer version currently released (nextjs / react recently). I guess you just need to add temporarily to npmPreapprovedPackages, right?

Also, for our npmPreapprovedPackages packages (burner, sui?) we'd need to implement something similar to this? If not, we are still vulnerable (way less, but still)

@rin-st
Copy link
Member

rin-st commented Dec 9, 2025

We also have to think about the opposite side of this. When you want to update to a safer version currently released (nextjs / react recently). I guess you just need to add temporarily to npmPreapprovedPackages, right?

I think yes, I don't see other solutions

Also, for our npmPreapprovedPackages packages (burner, sui?) we'd need to implement something similar to this? If not, we are still vulnerable (way less, but still)

Yes, wanted to say it too but forgot

@technophile-04
Copy link
Collaborator Author

technophile-04 commented Dec 18, 2025

Hey guys thanks for the discussion! So been researching as well, and I think:

  1. 7d is good enough!
  • Like yup we don't update things that often, and we can wait / also need time to implement to update to new version code.
  • lol this is future future but, in create-eth we can have a CI which doesn't have "npmMinimalGate" field. So we scaffold a new version of scaffold-eth with latest packages and this will help us catch bugs earlier (like if you remmber we had issue with react-copy-to-clipboard types, cause it was internally not pinned) so in that CI it will be caught and we will have like 7days to fix it. (since in og repo the gate will unlock after 7days)

We also have to think about the opposite side of this. When you want to update to a safer version currently released (nextjs / react recently). I guess you just need to add temporarily to npmPreapprovedPackages, right?

I think yes, I don't see other solutions

yeah I dont see a better solution either, but for now I have added (our maintainer packages + react, next patch versions) since those are main ones. We can can also think of allowing (hardhat patch version) their. And for some excpetional cases we follow the flow of adding packages on-demand and then removing them.

Also, for our npmPreapprovedPackages packages (burner, sui?) we'd need to implement something similar to this? If not, we are still vulnerable (way less, but still)

Ohh yes! We shall add them 🙌

@rin-st
Copy link
Member

rin-st commented Dec 18, 2025

I think we need to remove react/next from preapproved packages.
As I remember npmMinimalAgeGate option was added after this, when patch versions of popular packages was compromised. Hopefully it will not be the case for react/next but we're not 100% sure.

For last react/next CVE's it works (when patch versions added the fixes), but probably it's better to update them that way just in case?

We also have to think about the opposite side of this. When you want to update to a safer version currently released (nextjs / react recently). I guess you just need to add temporarily to npmPreapprovedPackages, right?

@technophile-04
Copy link
Collaborator Author

technophile-04 commented Dec 19, 2025

I think we need to remove react/next from preapproved packages.
As I remember npmMinimalAgeGate option was added after this, when patch versions of popular packages was compromised. Hopefully it will not be the case for react/next but we're not 100% sure.

Ohh man :( I seee yup and agree, the more I think and read it just makes sense to only have our packages (which are controled by us) to have in npmPreapprovedPackages rest we can remove and add depending on the need

Kushmanmb
Kushmanmb reviewed Dec 29, 2025
View reviewed changes
Copy link

@Kushmanmb Kushmanmb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yarn install

@technophile-04
Copy link
Collaborator Author

technophile-04 commented Jan 7, 2026

This is ready to be merged I feel 🙌

rin-st
rin-st approved these changes Jan 7, 2026
View reviewed changes
Copy link
Member

@rin-st rin-st left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carletex carletex carletex left review comments

@rin-st rin-st rin-st approved these changes

+1 more reviewer

@Kushmanmb Kushmanmb Kushmanmb left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@technophile-04 @rin-st @carletex @Kushmanmb