Skip to content

[Security] Lockfile dependency injection #4136

Answered by arcanis
hexnickk asked this question in Q&A
Discussion options

You must be logged in to vote

Yarn 4.0 (rc) now automatically protects against lockfile attacks through a new enableHardenedMode setting which is automatically enabled for "untrusted" environments (such as GitHub PRs on public repositories). When enabled:

  • Yarn won't allow a lockfile to contain package metadata that don't match the registry
  • Yarn will require all resolutions in the lockfile to be valid potential resolutions for the original range

Put together, those rules will entirely prevent malicious actors from adding dependencies deep into the lockfile, hidden from review. The only downside is that they make installs from PRs slightly slower, since we need to re-fetch the package metadata.

Replies: 6 comments 12 replies

Comment options

You must be logged in to vote
1 reply
@arcanis
Comment options

Comment options

You must be logged in to vote
1 reply
@arcanis
Comment options

Comment options

You must be logged in to vote
2 replies
@hexnickk
Comment options

@arcanis
Comment options

Comment options

You must be logged in to vote
7 replies
@hexnickk
Comment options

@arcanis
Comment options

@hexnickk
Comment options

@hexnickk
Comment options

@hexnickk
Comment options

Comment options

You must be logged in to vote
1 reply
@hexnickk
Comment options

Comment options

You must be logged in to vote
0 replies
Answer selected by arcanis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
3 participants