| ▲ | baobun 6 hours ago | |
Yarn is unfortunately a dead-end security-wise under current maintainership. If you are still on yarn v1 I suggest being consistent with '--ignore-scripts --frozen-lockfile' and run any necessary lifecycle scripts for dependencies yourself. There is @lavamoat/allow-scripts to manage this if your project warrants it. If you are on newer yarn versions I strongly encourage to migrate off to either pnpm or npm. | ||
| ▲ | jrochkind1 4 hours ago | parent [-] | |
newer yarn versions are _less_ secure than the ancient/abandoned yarn 1? :( Any links for further reading on security problems "under current maintainership"? | ||