Based on the recent supply chain attacks, we should harden our usage of yarn to prevent leaking of credentials on devmachines or pipeline runners.
https://trigger.dev/blog/shai-hulud-postmortem
If possible:
- Configure yarn to only use packages x days old.
- Configure yarn to not allow packages to execute scripts, unless explicitly allowed on a package level
If not possible, switch package manager? :)
Projects to implement:
- Stepup-Gateway
- Stepup-selfservice
- Stepup-ra?
- Engineblock
- sp-dashboard
Based on the recent supply chain attacks, we should harden our usage of yarn to prevent leaking of credentials on devmachines or pipeline runners.
https://trigger.dev/blog/shai-hulud-postmortem
If possible:
If not possible, switch package manager? :)
Projects to implement: