Skip to content

chore: Bump Yarn to 4.10.3 and configure NPM age gate #3691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mrtenz merged 2 commits into from
Oct 20, 2025
Merged

chore: Bump Yarn to 4.10.3 and configure NPM age gate #3691

Mrtenz merged 2 commits into from
Oct 20, 2025

Conversation

@Mrtenz
Copy link
Member

@Mrtenz Mrtenz commented Oct 20, 2025
edited by cursor bot
Loading

Explanation

This bumps Yarn to the latest version (4.10.3), which includes support for setting an age gate for NPM packages. It's set to 3 days following the security recommendations, meaning that packages must be at least 3 days old to be installed.

References

MetaMask/metamask-module-template#270

Note

Upgrades Yarn to 4.10.3, adds a 3-day npm age gate with preapproved packages, and updates related configs and LavaMoat policy references.

  • Build/Config:
    • Yarn upgrade: Set yarnPath and root packageManager to [email protected] in .yarnrc.yml, package.json, and yarn.config.cjs.
    • NPM age gate: Add npmMinimalAgeGate: 4320 and npmPreapprovedPackages (@metamask/*, @lavamoat/*) in .yarnrc.yml.
  • LavaMoat policy:
    • Update policy.json to reference depcheck>readdirp>picomatch instead of ts-loader>micromatch>picomatch in relevant entries.

Written by Cursor Bugbot for commit 635d8c1. This will update automatically on new commits. Configure here.

@Mrtenz Mrtenz marked this pull request as ready for review October 20, 2025 10:27
@Mrtenz Mrtenz requested a review from a team as a code owner October 20, 2025 10:27
@Gudahtt
Copy link
Member

Gudahtt commented Oct 20, 2025

Those are some interesting CI failures

@Mrtenz
Copy link
Member Author

Mrtenz commented Oct 20, 2025

@metamaskbot update-pr

@codecov
Copy link

codecov bot commented Oct 20, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.29%. Comparing base (fff1ef6) to head (635d8c1).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3691   +/-   ##
=======================================
  Coverage   98.29%   98.29%           
=======================================
  Files         417      417           
  Lines       11925    11925           
  Branches     1851     1851           
=======================================
  Hits        11722    11722           
  Misses        203      203

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Gudahtt
Gudahtt approved these changes Oct 20, 2025
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@Mrtenz Mrtenz added this pull request to the merge queue Oct 20, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 20, 2025
@Mrtenz Mrtenz added this pull request to the merge queue Oct 20, 2025
Merged via the queue into main with commit 68a2b0c Oct 20, 2025
121 checks passed
@Mrtenz Mrtenz deleted the mrtenz/npm-age-gate branch October 20, 2025 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Gudahtt Gudahtt Gudahtt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Mrtenz @Gudahtt @metamaskbot