feat(repo): migrate to Yarn 4 with 7-day npm cooldown#448
Merged
Conversation
YusukeHirao
requested review from
arktds,
dz-furukawa,
teppei-d and
yusasa16
as code owners
|
You have used all of your free Bugbot PR reviews. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
YusukeHirao
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Yarn 4 への移行と、npm サプライチェーン攻撃対策として 7日未満のパッケージをインストール・更新対象から除外するクールダウン期間の設定(frontend-env#886 の展開)を同時に行います。
Yarn 4 移行
package.jsonにpackageManager: "yarn@4.12.0"を追加、volta.yarnを1.22.22→4.12.0.yarnrc.ymlを新規作成(他リポジトリと同じnodeLinker: node-modules/npmRegistryServer/enableGlobalCache構成)yarn.lockを Yarn 4 形式に再生成.gitignoreに Yarn Berry 用の除外設定を追加npm クールダウン
.yarnrc.ymlにnpmMinimalAgeGate: 7dを追加(Yarn 4.10.0+).github/renovate.jsonにminimumReleaseAge: "7 days"/internalChecksFilter: "strict"/osvVulnerabilityAlerts: true/vulnerabilityAlerts.minimumReleaseAge: nullを追加なぜ7日なのか
悪意あるパッケージの多くは公開から数時間〜数日以内に検出・削除されます。公開直後の短期間をブロックするだけで高い防御効果が得られます。
3日(Renovate の
config:best-practicesデフォルト)では防御期間として短く、14日以上は開発速度への影響が大きくなるため、7日を採用しています。Andrew Nesbitt も7日間のクールダウンの有効性について言及しています(Package Managers Need to Cool Down)。参考資料
npmMinimalAgeGateconfiguration動作
yarn install時、公開7日未満のパッケージが含まれるとエラーで停止Warning
Yarn 側には緊急時のバイパス手段がありません。
セキュリティパッチなど公開直後のパッケージをどうしても即座にインストールする必要がある場合は、
.yarnrc.ymlのnpmMinimalAgeGateを一時的にコメントアウトして対応してください。対応後は必ず元に戻してください。