Elgato_dark/hyperdx
1
0
Fork 0
mirror of https://github.com/hyperdxio/hyperdx synced 2026-04-21 13:37:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
hyperdx/.yarnrc.yml

6 lines
90 B
YAML
Raw Normal View History

feat: move more codes
2024-11-22 05:44:33 +00:00
nodeLinker: node-modules
chore: set yarn npmMinimalAgeGate (#2022) ## Summary In response to the recent [axios supply chain attack](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan), we are tightening package management controls to reduce our exposure to malicious or compromised npm packages. **Changes:** - Updated `yarnPath` in `.yarnrc.yml` to point to Yarn 4.13.0 - Updated `packageManager` in `package.json` to reflect Yarn 4.13.0 - Removed old Yarn releases (4.5.1 and 1.22.18) from the `releases/` directory - Added Yarn 4.13.0 to the `releases/` directory - Set `npmMinimalAgeGate: 7` in `.yarnrc.yml` — Yarn will now block installation of any package version published less than 7 days ago, providing a buffer against freshly-injected malicious releases ### How to test locally or on Vercel 1. Pull this branch and run `yarn --version` — confirm it outputs `4.13.0`. 2. Run `yarn install` and verify it completes without errors. 3. Attempt to add a package version published within the last 7 days (e.g. a freshly released patch) and confirm Yarn rejects it with an age gate error. 4. Add a package version older than 7 days and confirm it installs successfully. 5. Confirm the old Yarn release files (`4.5.1`, `1.22.18`) are no longer present in `releases/`. ### References - Blog post: [axios compromised on npm — malicious versions drop remote access trojan](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan)
2026-03-31 18:37:07 +00:00
yarnPath: .yarn/releases/yarn-4.13.0.cjs
npmMinimalAgeGate: 7d
Reference in a new issue Copy permalink