build: restrict postinstall scripts during package installation

When performing a yarn-based package installation, only a specific group
of dependencies will now have postinstall scripts executed. This not only
provides additional security benefits but also reduced the amount of script
execution that occurs during each install. The workspace scripts are automatically
allowed and additional specific packages can be allowed as needed.

Author: clydin

material.angular.io/material.angular.io/.aspect/rules/external_repository_action_cache/npm_translate_lock_LTE4Nzc1MDcwNjU=

@@ -2,6 +2,6 @@
 # Input hashes for repository rule npm_translate_lock(name = "npm", pnpm_lock = "//:pnpm-lock.yaml").
 # This file should be checked into version control along with the pnpm-lock.yaml file.
 .npmrc=-1306950124
-pnpm-lock.yaml=1345633539
-yarn.lock=-2024993586
-package.json=-2093305059
+pnpm-lock.yaml=1087437730
+yarn.lock=-1043892813
+package.json=430646288

material.angular.io/material.angular.io/.yarnrc.yml

@@ -1,3 +1,5 @@
+enableScripts: false
+
 nodeLinker: node-modules
 
 yarnPath: .yarn/releases/yarn-4.4.0.cjs

material.angular.io/material.angular.io/package.json

@@ -102,5 +102,16 @@
     "ts-node": "^8.10.2",
     "typescript": "~5.5.2"
   },
-  "packageManager": "[email protected]"
+  "packageManager": "[email protected]",
+  "dependenciesMeta": {
+    "esbuild": {
+      "built": true
+    },
+    "puppeteer": {
+      "built": true
+    },
+    "re2": {
+      "built": true
+    }
+  }
 }

material.angular.io/material.angular.io/pnpm-lock.yaml

@@ -12129,6 +12129,13 @@ __metadata:
     tslib: "npm:^2.3.0"
     typescript: "npm:~5.5.2"
     zone.js: "npm:~0.14.10"
+  dependenciesMeta:
+    esbuild:
+      built: true
+    puppeteer:
+      built: true
+    re2:
+      built: true
   languageName: unknown
   linkType: soft