Skip to content

Chore: yarn audit config#288

Merged
github-actions[bot] merged 1 commit intomainfrom
yarn-audit-fix
Jan 12, 2026
Merged

Chore: yarn audit config#288
github-actions[bot] merged 1 commit intomainfrom
yarn-audit-fix

Conversation

@black7375
Copy link
Contributor

@black7375 black7375 commented Jan 12, 2026
edited by coderabbitai bot
Loading

Description

Fix audit issue and adjust npm age.

Related Issue

Summary by CodeRabbit

  • Chores
    • Updated Yarn package manager from version 4.10.3 to 4.12.0
    • Enhanced package manager configuration for dependency verification and handling processes

✏️ Tip: You can customize this high-level summary in your review settings.

Additional context

Checklist

@changeset-bot
Copy link

changeset-bot bot commented Jan 12, 2026

⚠️ No Changeset found

Latest commit: e9ebbb2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Jan 12, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The pull request updates Yarn configuration and package manager versions from 4.10.3 to 4.12.0 across two files. Additionally, it adds npm security controls including minimal age gating, preapproved packages, excluded audit packages, and enhanced package extensions for prettier-eslint.

Changes

Cohort / File(s) Summary
Configuration and Package Manager Updates
.yarnrc.yml, package.json		 Updated Yarn version from 4.10.3 to 4.12.0; added npmMinimalAgeGate (7d), npmPreapprovedPackages (@mincho-js/\*), npmAuditExcludePackages (deep-diff), and packageExtensions for prettier-eslint with typescript dependency.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

Suggested labels

config/build

Poem

🐰 Hop-hop, the yarn is now refined,
Version 4.12 leaves bugs behind,
With security gates and packages blessed,
Our config's now dressed in its finest vest!

🚥 Pre-merge checks | ✅ 2 | ❌ 1
❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Description check ❓ Inconclusive The description is incomplete with minimal detail. While it mentions 'Fix audit issue and adjust npm age,' it lacks substantive explanation of what was changed and why. Expand the description to explain specific audit issues addressed, the purpose of npmMinimalAgeGate: 7d, and why the Yarn version was upgraded from 4.10.3 to 4.12.0.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Chore: yarn audit config' directly relates to the main changes which involve updating Yarn configuration and audit settings, making it clear and specific.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d7cf9b5 and e9ebbb2.

⛔ Files ignored due to path filters (1)
  • .yarn/releases/yarn-4.12.0.cjs is excluded by !**/.yarn/**
📒 Files selected for processing (2)
  • .yarnrc.yml
  • package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: typecheck
🔇 Additional comments (5)
.yarnrc.yml (4)

13-14: LGTM!

The 7-day minimum age gate is a good supply chain security practice that helps protect against newly published malicious packages.

15-16: LGTM!

Preapproving @mincho-js/* packages makes sense to bypass the age gate for your own organization's packages.

30-30: LGTM!

The Yarn path update correctly aligns with the version bump in package.json.

18-19: Update rationale for excluding deep-diff from audit.

The comment incorrectly states that deep-diff is deprecated. While deep-diff is unmaintained and lacks recent activity, it is not formally deprecated, and no known security vulnerabilities exist in the package. Excluding it from audit primarily addresses maintenance risk rather than active security threats.

If the goal is to manage dependency maintenance, consider explicitly documenting the maintenance status and plan a migration timeline to a maintained alternative like jsondiffpatch (ensure version ≥0.7.2) or the diff package. Update the .yarnrc.yml comment to reflect the actual reason (unmaintained status) rather than false deprecation.

Likely an incorrect or invalid review comment.

package.json (1)

5-5: The Yarn upgrade to 4.12.0 is safe and valid. This is a minor version bump containing only non-breaking bug fixes (git handling, npm web login support) and no breaking changes are reported.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 12, 2026

Triggered from #288 by @​black7375.

Checking if we can fast forward main (d7cf9b5) to yarn-audit-fix (e9ebbb2).

Target branch (main):

commit d7cf9b54ceed3bbb251661ee542372082074e044 (HEAD -> main, origin/main)
Author: alstjr7375 <alstjr7375@daum.net>
Date:   Sat Nov 22 00:00:00 2025 +0900

    Feat: `cx` function from clsx #285

Pull request (yarn-audit-fix):

commit e9ebbb2bf988240c5b70bcfc97820bbfdfb27d96 (pull_request/yarn-audit-fix)
Author: alstjr7375 <alstjr7375@daum.net>
Date:   Sun Nov 23 00:00:00 2025 +0900

    Chore: yarn audit config

It is possible to fast forward main (d7cf9b5) to yarn-audit-fix (e9ebbb2). If you have write access to the target repository, you can add a comment with /fast-forward to fast forward main to yarn-audit-fix.

@black7375
Copy link
Contributor Author

black7375 commented Jan 12, 2026

/fast-forward

@github-actions
Copy link
Contributor

github-actions bot commented Jan 12, 2026

Triggered from #288 (comment) by @​black7375.

Trying to fast forward main (d7cf9b5) to yarn-audit-fix (e9ebbb2).

Target branch (main):

commit d7cf9b54ceed3bbb251661ee542372082074e044 (HEAD -> main, origin/main)
Author: alstjr7375 <alstjr7375@daum.net>
Date:   Sat Nov 22 00:00:00 2025 +0900

    Feat: `cx` function from clsx #285

Pull request (yarn-audit-fix):

commit e9ebbb2bf988240c5b70bcfc97820bbfdfb27d96 (pull_request/yarn-audit-fix)
Author: alstjr7375 <alstjr7375@daum.net>
Date:   Sun Nov 23 00:00:00 2025 +0900

    Chore: yarn audit config

Fast forwarding main (d7cf9b5) to yarn-audit-fix (e9ebbb2).

$ git push origin e9ebbb2bf988240c5b70bcfc97820bbfdfb27d96:main
To https://github.com/mincho-js/mincho.git
   d7cf9b5..e9ebbb2  e9ebbb2bf988240c5b70bcfc97820bbfdfb27d96 -> main

@github-actions github-actions bot merged commit e9ebbb2 into main Jan 12, 2026
12 checks passed
@github-actions github-actions bot deleted the yarn-audit-fix branch January 12, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Mincho Project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@black7375