Describe the user story
As a result of the many recent supply chain attacks, I'm looking for a way to prevent yarn from installing dependencies from any registry or location other than a specific list of allowed resources.
Describe the solution you'd like
For instance, maybe a configuration like the following
allowedDependenciesUrls
- registry.npmjs.org/*
- my-private-registry.com/*
- some-mirror.edu/*
And with a default value of the following if not set
allowedDependenciesUrls
- registry.npmjs.org/*
If a sub-dependency of https://my-secure-registry-bucket.s3.amazonaws.com/evil/some-dep-1.2.3.tgz were requested, the install would fail.
Describe the drawbacks of your solution
I'm not familiar with the how package managers are actually built but I think
- There could be overlapping concerns with such a setting and other yarn settings like
approvedGitRepositories and enableHardenedMode
- I would think in the future there may be some dependency standards group that would define a consistent way for npm, yarn, pnpm, bun, etc. to all do this in the same way and this might have to then be updated later
Describe alternatives you've considered
- Using
approvedGitRepositories - but my understanding is that this setting does cover non-git URLs like malicious s3 buckets
- Switch to another package manager
Other Notes
I haven't contributed to yarn before but I'm open to doing so. I didn't see the same request already so hopefully this issue isn't already covered somewhere else (apologies if it is.)
Describe the user story
As a result of the many recent supply chain attacks, I'm looking for a way to prevent yarn from installing dependencies from any registry or location other than a specific list of allowed resources.
Describe the solution you'd like
For instance, maybe a configuration like the following
And with a default value of the following if not set
If a sub-dependency of
https://my-secure-registry-bucket.s3.amazonaws.com/evil/some-dep-1.2.3.tgzwere requested, the install would fail.Describe the drawbacks of your solution
I'm not familiar with the how package managers are actually built but I think
approvedGitRepositoriesandenableHardenedModeDescribe alternatives you've considered
approvedGitRepositories- but my understanding is that this setting does cover non-git URLs like malicious s3 bucketsOther Notes
I haven't contributed to yarn before but I'm open to doing so. I didn't see the same request already so hopefully this issue isn't already covered somewhere else (apologies if it is.)