build: restrict postinstall scripts during package installation

clydin · clydin · commit 2e786d1591e0 · 2024-08-15T18:43:42.000-04:00
When performing a yarn-based package installation, only a specific group
of dependencies will now have postinstall scripts executed. This not only
provides additional security benefits but also reduced the amount of script
execution that occurs during each install. The workspace scripts are automatically
allowed and additional specific packages can be allowed as needed.
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -1,3 +1,5 @@
+enableScripts: false
+
 nodeLinker: node-modules
 
 yarnPath: .yarn/releases/yarn-4.4.0.cjs
diff --git a/package.json b/package.json
@@ -102,5 +102,16 @@
     "ts-node": "^8.10.2",
     "typescript": "~5.5.2"
   },
-  "packageManager": "yarn@4.4.0"
+  "packageManager": "yarn@4.4.0",
+  "dependenciesMeta": {
+    "esbuild": {
+      "built": true
+    },
+    "puppeteer": {
+      "built": true
+    },
+    "re2": {
+      "built": true
+    }
+  }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -12129,6 +12129,13 @@ __metadata:
     tslib: "npm:^2.3.0"
     typescript: "npm:~5.5.2"
     zone.js: "npm:~0.14.10"
+  dependenciesMeta:
+    esbuild:
+      built: true
+    puppeteer:
+      built: true
+    re2:
+      built: true
   languageName: unknown
   linkType: soft
 
