Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's the problem this PR addresses?
Lockfiles changes that are part of PRs submitted by third-parties may be compromised and contain metadata that don't match reality. This could lead to maintainers unknowingly starting to depend on packages they don't control / don't trust.
The current solution is to either review the whole lockfile (which is doable, but impractical for large changes, like when upgrading all
@babel
dependencies in a repository), regenerate the lockfile from scratch (high friction), or hope for third-party tools like Snyk to detect issues.How did you fix it?
This diff adds a new flag,
--refresh-lockfile
, which will keep resolutions in place but will resolve the associated metadata anew (this is the same thing we do when we bump the lockfile version, to regenerate the missing fields).Because both this flag and
--immutable
are enabled by default on PRs CI, projects upgrading to Yarn 4 will automatically be protected from compromised package metadata.Checklist