Skip to content

chore(lambdas): upgrade yarn to 4.16.0 and harden install config#5155

Merged
Brend-Smits merged 3 commits into
mainfrom
chore/upgrade-yarn-harden-install
Jun 11, 2026
Merged

chore(lambdas): upgrade yarn to 4.16.0 and harden install config#5155
Brend-Smits merged 3 commits into
mainfrom
chore/upgrade-yarn-harden-install

Conversation

@npalm

@npalm npalm commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Upgrades Yarn in lambdas/ and hardens the install pipeline against two supply-chain risks: freshly published packages and arbitrary lifecycle scripts. Also includes lockfile housekeeping.

Changes

  • Yarn 4.3.1 → 4.16.0 (packageManager + .yarn/releases/)
  • npmMinimalAgeGate: 10080 (7 days) in .yarnrc.yml — blocks installing packages published less than a week ago (requires Yarn ≥ 4.9)
  • enableScripts: false in .yarnrc.yml — disables preinstall/install/postinstall lifecycle scripts globally
  • Housekeeping: yarn dedupe consolidated 72 duplicated transitive versions in yarn.lock

Verification

CI

Notes

If a future dependency genuinely needs its postinstall, add it explicitly via:

"dependenciesMeta": { "<pkg>": { "built": true } }

in lambdas/package.json.

@npalm
chore(lambdas): upgrade yarn to 4.16.0 and harden install config
6b0b0e8 
- Bump Yarn 4.3.1 -> 4.16.0 (packageManager + .yarn/releases)
- Add npmMinimalAgeGate: 10080 (7d) to block freshly published packages
- Add enableScripts: false to disable lifecycle scripts by default;
  verified install, build, lint, format-check and tests all pass
  without per-package allowlist (no dependenciesMeta needed)
@github-actions

github-actions Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

  • lambdas/yarn.lock

@npalm
chore(lambdas): fix duplicate yarnrc key and dedupe lockfile
74d0821 
- Remove duplicate enableScripts entry in .yarnrc.yml that broke
  YAML parsing on CI
- Run yarn dedupe: consolidated 72 transitive duplicates;
  lint, format-check and tests still pass
npalm
npalm commented Jun 10, 2026
View reviewed changes
Comment thread lambdas/yarn.lock
@npalm npalm requested a review from a team June 10, 2026 19:21
@npalm npalm marked this pull request as ready for review June 10, 2026 19:21
@npalm npalm requested a review from a team as a code owner June 10, 2026 19:21
Brend-Smits
Brend-Smits approved these changes Jun 11, 2026
View reviewed changes

@Brend-Smits Brend-Smits left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :shipit:!

@Brend-Smits Brend-Smits merged commit aceace8 into main Jun 11, 2026
11 of 12 checks passed
@Brend-Smits Brend-Smits deleted the chore/upgrade-yarn-harden-install branch June 11, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Brend-Smits Brend-Smits Brend-Smits approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@npalm @Brend-Smits