Open legobeat opened 5 months ago
@arcanis @merceyz PTAL
Bump.
@arcanis This is a security regression in 4.x vs 3.x.
On 3.8.3:
$ cat .yarnrc.yml
enableScripts: false
$ yarn --inline-builds --mode=skip-build
ā¤ YN0000: ā Resolution step
ā¤ YN0000: ā Completed
ā¤ YN0000: ā Fetch step
ā¤ YN0000: ā Completed
ā¤ YN0000: ā Link step
ā¤ YN0004: ā yuge-slow-npm-pkg@https://github.com/legobeat/yuge-slow-npm-pkg.git#commit=6940e29e44922456ab581090aab8015c23b55be0 lists build scripts, but all build scripts have been disabled.
ā¤ YN0000: ā Completed
ā¤ YN0000: Done with warnings in 0s 44ms
On 4.1.1:
$ cat .yarnrc.yml
enableScripts: false
$ yarn --inline-builds --mode=skip-build
ā¤ YN0000: Ā· Yarn 4.1.1
ā¤ YN0000: ā Resolution step
ā¤ YN0000: ā Completed
ā¤ YN0000: ā Fetch step
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT Packing yuge-slow-npm-pkg@https://github.com/legobeat/yuge-slow-npm-pkg.git#commit=6940e29e44922456ab581090aab8015c23b55be0 from sources
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT Using Yarn Classic for bootstrap. Reason: "__metadata" key not found in yarn.lock, must be a Yarn classic lockfile
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT ā¤ YN0000: Downloading https://classic.yarnpkg.com/latest.js
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT ā¤ YN0000: Saving the new release in .yarn/releases/yarn-classic.cjs
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT ā¤ YN0000: Done in 2s 933ms
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDERR ! The local project doesn't define a 'packageManager' field. Corepack will now add one referencing yarn@4.3.1+sha512.af78262d7d125afbfeed740602ace8c5e4405cd7f4735c08feb327286b2fdb2390fbca01589bfd1f50b1240548b74806767f5a063c94b67e431aabd0d86f7774.
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDERR ! For more details about this field, consult the documentation at https://nodejs.org/api/packages.html#packagemanager
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDERR
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT yarn install v1.22.22
ā¤ YN0000: ā /var/tmp/xfs-88ef6319 STDOUT $ ./hooks.sh preinstall 30
(When package is present in lockfile/cache. When not, both v3 and v4 execute it)
Self-service
Describe the bug
It seems that for dependencies which themselves contain a yarn v1 lockfile, the
enableScripts
configuration value is ignored and lifecycle scripts are run regardless.To reproduce
(Aside: The sherlock link in the GH template is 404ing)
enableScripts: false
in.yarnrc.yaml
yarn.lock
todependencies
yarn install
A reproduction PR on a minimal repo is available. As can be seen in the GitHub Actions workflow output from the
yarn install
step, the dependencypreinstall
andpostinstall
lifecycle scripts are triggered as part of theResolution step
.Environment
Additional context