Comments (3)
from berry.
Bump.
from berry.
@arcanis This is a security regression in 4.x vs 3.x.
On 3.8.3:
$ cat .yarnrc.yml
enableScripts: false
$ yarn --inline-builds --mode=skip-build
➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0004: │ yuge-slow-npm-pkg@https://github.com/legobeat/yuge-slow-npm-pkg.git#commit=6940e29e44922456ab581090aab8015c23b55be0 lists build scripts, but all build scripts have been disabled.
➤ YN0000: └ Completed
➤ YN0000: Done with warnings in 0s 44ms
On 4.1.1:
$ cat .yarnrc.yml
enableScripts: false
$ yarn --inline-builds --mode=skip-build
➤ YN0000: · Yarn 4.1.1
➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT Packing yuge-slow-npm-pkg@https://github.com/legobeat/yuge-slow-npm-pkg.git#commit=6940e29e44922456ab581090aab8015c23b55be0 from sources
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT Using Yarn Classic for bootstrap. Reason: "__metadata" key not found in yarn.lock, must be a Yarn classic lockfile
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT ➤ YN0000: Downloading https://classic.yarnpkg.com/latest.js
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT ➤ YN0000: Saving the new release in .yarn/releases/yarn-classic.cjs
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT ➤ YN0000: Done in 2s 933ms
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDERR ! The local project doesn't define a 'packageManager' field. Corepack will now add one referencing [email protected]+sha512.af78262d7d125afbfeed740602ace8c5e4405cd7f4735c08feb327286b2fdb2390fbca01589bfd1f50b1240548b74806767f5a063c94b67e431aabd0d86f7774.
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDERR ! For more details about this field, consult the documentation at https://nodejs.org/api/packages.html#packagemanager
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDERR
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT yarn install v1.22.22
➤ YN0000: │ /var/tmp/xfs-88ef6319 STDOUT $ ./hooks.sh preinstall 30
(When package is present in lockfile/cache. When not, both v3 and v4 execute it)
Sidenote
The The local project doesn't define a 'packageManager' field. Corepack will now add one referencing [email protected]+sha512.af78262d7d125afbfeed740602ace8c5e4405cd7f4735c08feb327286b2fdb2390fbca01589bfd1f50b1240548b74806767f5a063c94b67e431aabd0d86f7774.
line seems to be referencing the dependency, which is called here using Yarn Classic. So it also seems that the way this is being instrumented is confusing Corepack for dependencies which don't specify a packageManager
field.
from berry.
Related Issues (20)
- [Bug?][behavior question]: yarn with corepack still requires yarn set version to use the correct version HOT 1
- [Bug?]: Specifying `supportedArchitectures..current` is incompatible with `--immutable-cache`
- [Bug?]: Typescript project throws an error when moving towards `nodeLinker: pnp` HOT 1
- Line numbers are buggy after line 99999 in the package file viewer
- [Bug?]: frozen-lockfiles for file dependencies
- [Bug?]: Yarn doesn't make dependency executables available on PATH for `yarn run`
- [Bug]: The exec protocol does not respect extension HOT 1
- [Feature] audit signatures
- [Bug?]: `fsBinding.cpSyncCheckPaths` error in Node 22 HOT 1
- [Bug?]: Unrecognized or legacy configuration settings found: command - run "yarn config -v" to see the list of settings supported in Yarn (in <environment>) HOT 5
- [Bug]: Cannot use literal `${x}` in environment variable files HOT 3
- [Bug?]: Hoisting issue when a single workspace package has hoistingLimits: workspaces
- [Bug?]: node_modules hoisting issue with inner workspaces
- [Bug?]: After using a symbolic link to move the global cache folder to another partition, "yarn dlx" failed. HOT 1
- [Bug?]: linked project with gives error "is controlled by multiple pnpapi instances" in VSC
- [Bug?]: "docker compose run" with docker cache fails after building ( it can not find yarn installed module in cache folder) HOT 3
- [Bug?]: yarn dlx -p not working with package.json scripts HOT 4
- [Bug?]: Missing package: typescript@patch:typescript@npm HOT 1
- [Bug?]: Can't fetch Gitlab dependencies via SSH HOT 1
- [Bug?]: yarn requires npmAuthToken even when not doing anything registry-related HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from berry.