kanthesha
commented
4 months ago There are couple of validation, which seems unnecessary to me.
if the project has a .yarnrc file (Yarn Classic), then it has ignore-scripts true.
I read the why it is required! But once we say the project requires .yarnrc.yml and we need .yarnrc to be absent, then I don't see a point in further validating if there's a .yarnrc then it should have something!!
If the project has a .yarnrc file (Yarn Classic), then a "setup" package script should be present and should be equal to "yarn install && yarn allow-scripts".
Same as above. If we want user to not to have .yarnrc in their project, I don't see a point in if it exists it should have something!!
We want to make sure that for a given project:
@lavamoat/allow-scriptsand@lavamoat/preinstall-always-failas dev dependencies, and the versions match the same dev dependencies as in the module template.package.jsoncontains alavamoatfield with anallowScriptsfield inside of it, and this file contains"@lavamoat/preinstall-always-fail": false..yarnrc.yml(Yarn Modern), then it has aenableScripts: falseline; or if the project has a.yarnrcfile (Yarn Classic), then it hasignore-scripts true..yarnrcfile. Usually we would stop here and not bother linting the.yarnrcfor a project, but in this case, it is critical that each of our projects usesallow-scripts, regardless of which package manager is being used. Among our projects, if they don't use Yarn Modern there is a high likelihood they use Yarn Classic..yarnrc.ymlfile, then.yarn/plugins/@yarnpkg/plugin-allow-scripts.cjsis present and its content matches the same file as in the module template; additionally,.yarnrc.yml'spluginsfield contains the object{ path: ".yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs", spec: "https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js" }..yarnrcfile (Yarn Classic), then a "setup" package script should be present and should be equal to "yarn install && yarn allow-scripts".