Describe the user story
With the amount of supply chain attacks lately, there's been a lot of discussion regarding npm's security and reliability. Many malicious packages use install (lifecycle) scripts to run arbitrary code on user's machines when they update to a compromised version. Manually approving which packages can run install scripts solves this by disallowing all install scripts by default, locally and in CI. When a package suddenly wants to run an install script, the user sees the request, and can verify/research what the install script does before running it.
Currently, Yarn automatically runs these scripts without requiring approval, which has become a security concern. As of writing this, every other major package manager supports this:
Describe the solution you'd like
Yarn should support some version of approving package install scripts. Each of the package managers listed above has its own unique implementation, but IMO Yarn should follow npm's implementation, which defines a standard allowScripts package.json field.
Describe the drawbacks of your solution
Enabling this by default is a breaking change, so it should be disabled by default, enabled with a config option in .yarnrc.yml. It should be enabled by default in v5+.
Describe alternatives you've considered
Using pnpm or bun instead.
Describe the user story
With the amount of supply chain attacks lately, there's been a lot of discussion regarding npm's security and reliability. Many malicious packages use install (lifecycle) scripts to run arbitrary code on user's machines when they update to a compromised version. Manually approving which packages can run install scripts solves this by disallowing all install scripts by default, locally and in CI. When a package suddenly wants to run an install script, the user sees the request, and can verify/research what the install script does before running it.
Currently, Yarn automatically runs these scripts without requiring approval, which has become a security concern. As of writing this, every other major package manager supports this:
approve-buildsapprove-scriptstrustDescribe the solution you'd like
Yarn should support some version of approving package install scripts. Each of the package managers listed above has its own unique implementation, but IMO Yarn should follow
npm's implementation, which defines a standardallowScriptspackage.jsonfield.Describe the drawbacks of your solution
Enabling this by default is a breaking change, so it should be disabled by default, enabled with a config option in
.yarnrc.yml. It should be enabled by default in v5+.Describe alternatives you've considered
Using
pnpmorbuninstead.