Skip to content

[Feature] Approve package install scripts (approve-builds) #7188

Description

@rChaoz
  • I'd be willing to implement this feature (contributing guide)
  • This feature is important to have in this repository; a contrib plugin wouldn't do

Describe the user story

With the amount of supply chain attacks lately, there's been a lot of discussion regarding npm's security and reliability. Many malicious packages use install (lifecycle) scripts to run arbitrary code on user's machines when they update to a compromised version. Manually approving which packages can run install scripts solves this by disallowing all install scripts by default, locally and in CI. When a package suddenly wants to run an install script, the user sees the request, and can verify/research what the install script does before running it.

Currently, Yarn automatically runs these scripts without requiring approval, which has become a security concern. As of writing this, every other major package manager supports this:

Describe the solution you'd like

Yarn should support some version of approving package install scripts. Each of the package managers listed above has its own unique implementation, but IMO Yarn should follow npm's implementation, which defines a standard allowScripts package.json field.

Describe the drawbacks of your solution

Enabling this by default is a breaking change, so it should be disabled by default, enabled with a config option in .yarnrc.yml. It should be enabled by default in v5+.

Describe alternatives you've considered

Using pnpm or bun instead.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions