Fix yarn workspace isolation for node-client

[joemsak]

What

Fixes yarn workspace isolation for the spec/node-client directory so yarn works correctly without needing an npm workaround.

Why

With Yarn 4 (packageManager: [email protected] in root), running yarn in nested directories caused workspace detection issues. The previous workaround ran npm install --silent 2>/dev/null on every test execution, which was slow and hid errors.

How

• Add .yarnrc.yml to spec/node-client/ marking it as a standalone Yarn project
• Add root .yarnrc.yml to git (previously ignored)
• Update .gitignore to be more specific (.yarn/ instead of .yarn*)
• Remove the per-test npm install workaround
• Delete package-lock.json from node-client (use yarn consistently)

[socket-security]

Caution

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. For more information please check in at #security-help. For License Policy Violations please also tag @Aoife in #security-help.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		License policy violation: gem diff-lcs under GPL-2.0+ License: GPL-2.0+ - the applicable license policy does not allow this license (4) (docs/COPYING.txt) License: GPL-2.0-or-later - the applicable license policy does not allow this license (4) (Ruby Gem Metadata) License: Artistic-1.0-Perl - the applicable license policy does not allow this license (4) (Ruby Gem Metadata) From: Gemfile.lock → gem/[email protected] → gem/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License policy violation: gem grpc under APSL-2.0 License: APSL-2.0 - the applicable license policy does not allow this license (4) (third_party/cares/cares/src/lib/thirdparty/apple/dnsinfo.h) From: Gemfile.lock → gem/[email protected] → gem/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License policy violation: gem nokogiri under GPL-2.0-only License: GPL-2.0-only - the applicable license policy does not allow this license (4) (patches/libxml2/0010-update-config.guess-and-config.sub-for-libxml2.patch) License: GPL-2.0-only - the applicable license policy does not allow this license (4) (patches/libxslt/0001-update-config.guess-and-config.sub-for-libxslt.patch) From: Gemfile.lock → gem/[email protected] → gem/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License policy violation: gem public_suffix under MIT AND MPL-2.0 Location: Package overview From: Gemfile.lock → gem/[email protected] → gem/[email protected] → gem/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt) From: spec/node-client/package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm npm is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report