build: restrict postinstall scripts during package installation

When performing a yarn-based package installation, only a specific group of dependencies will now have postinstall scripts executed. This not only provides additional security benefits but also reduced the amount of script execution that occurs during each install. The workspace scripts are automatically allowed and additional specific packages can be allowed as needed.
angular · Aug 15, 2024 · 2e786d1 · 2e786d1
1 parent 24cd34b
commit 2e786d1
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -1,3 +1,5 @@
+enableScripts: false
+
 nodeLinker: node-modules
 
 yarnPath: .yarn/releases/yarn-4.4.0.cjs
diff --git a/package.json b/package.json
@@ -102,5 +102,16 @@
     "ts-node": "^8.10.2",
     "typescript": "~5.5.2"
   },
-  "packageManager": "[email protected]"
+  "packageManager": "[email protected]",
+  "dependenciesMeta": {
+    "esbuild": {
+      "built": true
+    },
+    "puppeteer": {
+      "built": true
+    },
+    "re2": {
+      "built": true
+    }
+  }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -12129,6 +12129,13 @@ __metadata:
     tslib: "npm:^2.3.0"
     typescript: "npm:~5.5.2"
     zone.js: "npm:~0.14.10"
+  dependenciesMeta:
+    esbuild:
+      built: true
+    puppeteer:
+      built: true
+    re2:
+      built: true
   languageName: unknown
   linkType: soft