Use yarn for package management #2430
Comments
@6a68 will take a look |
@g-k Do you know if there have been any similar checksum additions in latest npm 5 (which is bundled with recent Node 8)? http://blog.npmjs.org/post/161081169345/v500 I know npm 5 also includes a package-lock.json file (similar to the shrinkwrap.json), but wasn't sure if that offered the same functionality as Yarn. |
From a recent blog post by the yarn team, it seems that the difference is somewhat academic:
Are there other compelling reasons to switch? |
Yeah, this predates npm 5. After finding this I'm not sure yarn is necessarily an improvement. I'll do some testing and update this issue. |
Presumably if we stick with npm we'd still want to generate a lockfile and check it in (which we aren't doing now). |
@g-k we're going with the easier |
We never did npm shrinkwrap, and we've had a lot of problems with npm lockfiles. I think we should reconsider yarn. |
see also: https://github.com/mozilla-services/foxsec/issues/134
A compromised package or MITMed dependency could
npm run
arbitrary scripts as part of an install: https://docs.npmjs.com/misc/scriptsThis can be fixed by using
npm install --no-script
.However, https://yarnpkg.com/ will also validate package contents against a checksum which is preferable.
The text was updated successfully, but these errors were encountered: