Skip to content

fix(PLT-3359): harden yarn configuration#156

Merged
Thr44 merged 1 commit intomainfrom
appsec/harden-yarn-config
Apr 28, 2026
Merged

fix(PLT-3359): harden yarn configuration#156
Thr44 merged 1 commit intomainfrom
appsec/harden-yarn-config

Conversation

@tf-seti
Copy link
Copy Markdown
Contributor

@tf-seti tf-seti commented Apr 1, 2026
edited
Loading

Harden yarn configuration

This PR hardens yarn configuration against recent supply chain attacks
(shai hulud, shai hulud 2, litellm, axios).

More details in Hardening Development Supply Chain.

Changes

.yarnrc security settings:

  • ignore-scripts true — blocks all postinstall script execution (RATs, cryptominers, credential exfiltration)
  • save-exact true — forces exact version pins on yarn add (no ^ prefix)

Dependabot cooldown (if npm ecosystem configured):

  • 7-day cooldown for all version updates (major, minor, patch)
  • Delays automated upgrade PRs, reducing exposure to recently published malicious versions

What you need to know

  • ignore-scripts applies to both yarn install and yarn add — postinstall scripts will not run in either case.
  • If your project needs postinstall scripts (e.g., husky, esbuild native binaries), run them explicitly: 
    yarn rebuild esbuild    # rebuild native bindings
npx husky install       # set up git hooks

References

Automated by Application Security · supply-chain-hardening batch change

Created by Sourcegraph batch change david.salvador/harden-yarn-config.

@tf-seti tf-seti changed the title fix(NOJIRA-1234): harden yarn configuration fix(PLT-3359): harden yarn configuration Apr 28, 2026
@tf-seti tf-seti force-pushed the appsec/harden-yarn-config branch from e06f4d4 to b67e351 Compare April 28, 2026 08:59
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 28, 2026

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 28, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tf-seti tf-seti marked this pull request as ready for review April 28, 2026 09:35
@tf-seti tf-seti requested a review from a team as a code owner April 28, 2026 09:35
@pr-auditor
Copy link
Copy Markdown

pr-auditor Bot commented Apr 28, 2026

✅ Security Analysis Results

Great news! No security issues found in this pull request.

Analysis Summary:

  • 📁 Files reviewed: 2
  • ✅ No security vulnerabilities detected

Security analysis powered by Claude Sonnet 4.6 via pr-auditor | Questions? Contact #dx-team or check out this page

@gitstream-cm
Copy link
Copy Markdown

gitstream-cm Bot commented Apr 28, 2026

🥷 Code experts: robespmun

robespmun has most 👩‍💻 activity in the files.
robespmun has most 🧠 knowledge in the files.

See details

.github/dependabot.yml

Activity based on git-commit:

robespmun
APR
MAR
FEB
JAN
DEC
NOV

Knowledge based on git-blame:
robespmun: 22%

✨ Comment /gs review for LinearB AI review. Learn how to automate it here.

@Thr44 Thr44 merged commit dfecb02 into main Apr 28, 2026
17 of 18 checks passed
@Thr44 Thr44 deleted the appsec/harden-yarn-config branch April 28, 2026 09:49
@typeform-ops-gha
Copy link
Copy Markdown

typeform-ops-gha commented Apr 28, 2026

🎉 This PR is included in version 2.10.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Thr44 Thr44 Thr44 approved these changes

Assignees

No one assigned

Labels

1 min review released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tf-seti @typeform-ops-gha @Thr44 @davidsalvador-tf