Set the required configuration for processing a Yarn request #360
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I focused on the yarnrc attributes we are sure we need to change based on the design doc, I still need to investigate the ones under "maybe" and do more real-world testing. |
brunoapimentel
force-pushed
the
set-yarn-config
branch
2 times, most recently
from
d93088d to
ccd7cc9
Compare
|
New changes: Split the first commit in two, removed the WIP status from the first three commits, added a new WIP commit to investigate additional yarnrc configuration options. |
brunoapimentel
force-pushed
the
set-yarn-config
branch
from
ccd7cc9 to
3ef9908
Compare
brunoapimentel
force-pushed
the
set-yarn-config
branch
from
3ef9908 to
ca40b15
Compare
|
Sadly, I think we're going to need |
| @@ -22,6 +22,15 @@ | |||
| DEFAULT_CACHE_FOLDER = "./.yarn/cache" | |||
| DEFAULT_REGISTRY = "https://registry.yarnpkg.com" | |||
|
|
|||
| ChecksumBehavior = Literal["throw", "update", "ignore"] | |||
There was a problem hiding this comment.
Isn't "reset" also a possible value here?
There was a problem hiding this comment.
I think that is valid for v4 only 🤔
v3: https://v3.yarnpkg.com/configuration/yarnrc
v4: https://yarnpkg.com/configuration/yarnrc#checksumBehavior
There was a problem hiding this comment.
Should we make a note to yarn v4 story/epic that reset should be added there?
You're absolutely right. We want to ignore the commited yarn executable if it exists, and that requires the ignorePath option set. |
brunoapimentel
requested review from
eskultety,
ben-alkov,
lkolacek and
ejegrova
lkolacek
reviewed
Oct 31, 2023
lkolacek
reviewed
Oct 31, 2023
lkolacek
reviewed
Oct 31, 2023
lkolacek
approved these changes
Oct 31, 2023
eskultety
reviewed
Oct 31, 2023
brunoapimentel
force-pushed
the
set-yarn-config
branch
from
ca40b15 to
b4d6e90
Compare
eskultety
reviewed
Nov 1, 2023
brunoapimentel
force-pushed
the
set-yarn-config
branch
7 times, most recently
from
e23c6b4 to
60c7226
Compare
eskultety
reviewed
Nov 7, 2023
Since we will always write some configuration options into the .yarnrc.yml when processing a Yarn request, we can safely instantiate an empty YarnRc object whenever a Project is loaded. Signed-off-by: Bruno Pimentel <[email protected]>
This will be needed later on so that the configuration in the .yarnrc.yaml file can be changed for the prefetch. Signed-off-by: Bruno Pimentel <[email protected]>
The name was changed from 'write_to_file' to simply 'write', making it consistent to a similar method present in the YarnRc class. Signed-off-by: Bruno Pimentel <[email protected]>
STONEBLD-1777 Set the following options in the .yarnrc.yml file: - checksumBehavior: set to 'throw', so an exception is raised in case of checksum mismatches. - enableImmutableInstalls: makes 'yarn install' fail in case a change to the lockfile is necessary. - plugins: set to an empty array, so that no plugins will be used in the prefetch/cache checking. This avoids arbitrary code execution. - pnpMode: set to 'strict', to disallow modules to require packages they don't explicitly list in their own dependencies. For zero-installs: - enableImmutableCache: makes 'yarn install' fail if any modification in the cache folder would be made. For regular workflow: - enableMirror: set to true to ensure the globalFolder will be used. - globalFolder: set to the request's output folder. The prefetched packages will be placed in it. More details at: https://v3.yarnpkg.com/configuration/yarnrc Signed-off-by: Bruno Pimentel <[email protected]>
Sets the "enableStrictSsl" to true and "unsafeHttpWhitelist" to an empty list in .yarnrc.yml. See https://v3.yarnpkg.com/configuration/yarnrc for more info. Signed-off-by: Bruno Pimentel <[email protected]>
Set the .yarnrc.yml option "enableTelemetry" to false to prevent the yarn commands from making unnecessary requests. See https://v3.yarnpkg.com/configuration/yarnrc for more info. Signed-off-by: Bruno Pimentel <[email protected]>
Set the ignorePath option to true, which makes yarn ignore the executable defined yarnPath and fallback to the global one. This makes Corepack fetch a new yarn executable, which will then be used. We don't want to rely on the executable that is commited to the repository, since there's no way to know if it has been tampered. Signed-off-by: Bruno Pimentel <[email protected]>
Set the "enableScripts" .yarnrc.yml option to false, which avoids the unplugging of dependencies that have postinstall scripts. The unplugged content is necessary for the Yarn project to run, but since a "yarn install" is expected to happen during the build phase for a regular workflow project, this content will still be generated as expected. For more info, see: - https://v3.yarnpkg.com/cli/install (--mode=skip-build section) Signed-off-by: Bruno Pimentel <[email protected]>
brunoapimentel
force-pushed
the
set-yarn-config
branch
from
60c7226 to
258e04e
Compare
eskultety
approved these changes
Nov 7, 2023
brunoapimentel
force-pushed
the
set-yarn-config
branch
3 times, most recently
from
c849c6d to
258e04e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The following .yarnrc.yml options are strictly necessary in order to process a yarn request:
checksum mismatches
the lockfile is necessary
prefetch/cache checking. This avoids arbitrary code execution.
For zero-installs:
the cache folder would be made.
For regular workflow:
packages will be placed in it.
We're also setting these "nice to have" options:
Maintainers will complete the following section