Skip to content

chore: Add approvedGitRepositories to Yarn config#8672

Merged
Mrtenz merged 2 commits intomainfrom
mrtenz/yarn-approved-git-repositories
May 4, 2026
Merged

chore: Add approvedGitRepositories to Yarn config#8672
Mrtenz merged 2 commits intomainfrom
mrtenz/yarn-approved-git-repositories

Conversation

@Mrtenz
Copy link
Copy Markdown
Member

@Mrtenz Mrtenz commented May 4, 2026
edited by cursor Bot
Loading

Explanation

Yarn recently added an approvedGitRepositories setting which is an allowlist for allowed Git repositories that can be installed as dependencies. Git repositories have some security risks, and we don't typically use them, so we can set it to an empty array to disallow Git repositories.

References

MetaMask/metamask-module-template#310.

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

Note

Low Risk
Low risk: config-only changes that tighten dependency policy and bump the Yarn toolchain; main impact is potential install/CI breakage if any Git-based deps were relied on implicitly.

Overview
Hardens Yarn dependency sourcing by adding approvedGitRepositories: [] to .yarnrc.yml, explicitly disallowing Git-based dependencies.

Bumps the required Yarn version from 4.10.3 to 4.14.1 (root packageManager and matching yarn constraints check), and updates yarn.lock metadata accordingly.

Reviewed by Cursor Bugbot for commit f0bd7f1. Bugbot is set up for automated code reviews on this repo. Configure here.

@Mrtenz Mrtenz had a problem deploying to default-branch May 4, 2026 12:34 — with GitHub Actions Failure
@Mrtenz Mrtenz changed the title Add approvedGitRepositories to Yarn config chore: Add approvedGitRepositories to Yarn config May 4, 2026
@Mrtenz Mrtenz marked this pull request as ready for review May 4, 2026 13:17
mcmire
mcmire approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mcmire mcmire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense!

@Mrtenz Mrtenz added this pull request to the merge queue May 4, 2026
Merged via the queue into main with commit 7fccd4b May 4, 2026
366 checks passed
@Mrtenz Mrtenz deleted the mrtenz/yarn-approved-git-repositories branch May 4, 2026 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcmire mcmire mcmire approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mrtenz @mcmire