Makes enableScripts: false the default (#7089)

## What's the problem this PR addresses?

<!-- Describe the rationale of your PR. -->
<!-- Link all issues that it closes. (Closes/Resolves #xxxx.) -->

I was planning to wait until the next major to land this, but
considering the regularity of package compromissions, I think we need to
address it sooner than that.

## How did you fix it?

<!-- A detailed description of your implementation. -->

Disables running scripts by default.

## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.

Author: arcanis

.pnp.cjs

@@ -0,0 +1,36 @@
+releases:
+  "@yarnpkg/cli": minor
+  "@yarnpkg/core": minor
+  "@yarnpkg/doctor": patch
+  "@yarnpkg/plugin-essentials": minor
+
+declined:
+  - "@yarnpkg/plugin-catalog"
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-constraints"
+  - "@yarnpkg/plugin-dlx"
+  - "@yarnpkg/plugin-exec"
+  - "@yarnpkg/plugin-file"
+  - "@yarnpkg/plugin-git"
+  - "@yarnpkg/plugin-github"
+  - "@yarnpkg/plugin-http"
+  - "@yarnpkg/plugin-init"
+  - "@yarnpkg/plugin-interactive-tools"
+  - "@yarnpkg/plugin-jsr"
+  - "@yarnpkg/plugin-link"
+  - "@yarnpkg/plugin-nm"
+  - "@yarnpkg/plugin-npm"
+  - "@yarnpkg/plugin-npm-cli"
+  - "@yarnpkg/plugin-pack"
+  - "@yarnpkg/plugin-patch"
+  - "@yarnpkg/plugin-pnp"
+  - "@yarnpkg/plugin-pnpm"
+  - "@yarnpkg/plugin-stage"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/plugin-version"
+  - "@yarnpkg/plugin-workspace-tools"
+  - "@yarnpkg/builder"
+  - "@yarnpkg/extensions"
+  - "@yarnpkg/nm"
+  - "@yarnpkg/pnpify"
+  - "@yarnpkg/sdks"

.yarn/versions/5cc386c8.yml

@@ -60,12 +60,49 @@ describe(`Commands`, () => {
       }),
     );
 
+    test(
+      `it should migrate old lockfiles by setting enableScripts to true when unset`,
+      makeTemporaryEnv({
+        dependencies: {
+          [`no-deps`]: `1.0.0`,
+        },
+      }, async ({path, run}) => {
+        const lockfilePath = ppath.join(path, Filename.lockfile);
+        const rcPath = ppath.join(path, Filename.rc);
+
+        await run(`install`);
+
+        const lockfile = await xfs.readFilePromise(lockfilePath, `utf8`);
+        const match = lockfile.match(/^__metadata:\r?\n {2}version: (\d+)$/m);
+
+        expect(match).not.toBeNull();
+        const currentVersion = Number(match![1]);
+        const previousVersion = Math.max(0, currentVersion - 1);
+
+        const downgraded = lockfile.replace(
+          /^(__metadata:\r?\n {2}version: )\d+$/m,
+          `$1${previousVersion}`,
+        );
+
+        expect(downgraded).not.toEqual(lockfile);
+        await xfs.writeFilePromise(lockfilePath, downgraded);
+
+        await expect(xfs.existsPromise(rcPath)).resolves.toBeFalsy();
+
+        await run(`install`);
+
+        await expect(xfs.readFilePromise(rcPath, `utf8`)).resolves.toContain(`enableScripts: true`);
+      }),
+    );
+
     test(
       `it should print the logs to the standard output when using --inline-builds`,
       makeTemporaryEnv({
         dependencies: {
           [`no-deps-scripted`]: `1.0.0`,
         },
+      }, {
+        enableScripts: true,
       }, async ({path, run, source}) => {
         const {stdout} = await run(`install`, `--inline-builds`);
 
@@ -80,6 +117,8 @@ describe(`Commands`, () => {
         dependencies: {
           [`no-deps-scripted`]: `1.0.0`,
         },
+      }, {
+        enableScripts: true,
       }, async ({path, run, source}) => {
         const {stdout} = await run(`install`, `--inline-builds`, `--mode=skip-build`);
 
@@ -94,6 +133,8 @@ describe(`Commands`, () => {
         dependencies: {
           [`no-deps-scripted`]: `1.0.0`,
         },
+      }, {
+        enableScripts: true,
       }, async ({path, run, source}) => {
         const pnpPath = ppath.join(path, Filename.pnpCjs);
 

packages/acceptance-tests/pkg-tests-specs/sources/commands/install.test.ts

@@ -7,6 +7,8 @@ describe(`Commands`, () => {
           [`no-deps-scripted`]: `1.0.0`,
           [`no-deps-scripted-bis`]: `1.0.0`,
         },
+      }, {
+        enableScripts: true,
       }, async ({path, run, source}) => {
         await run(`install`);
 
@@ -45,6 +47,8 @@ describe(`Commands`, () => {
           [`no-deps-scripted`]: `1.0.0`,
           [`no-deps-scripted-bis`]: `1.0.0`,
         },
+      }, {
+        enableScripts: true,
       }, async ({path, run, source}) => {
         await run(`install`);
 

packages/acceptance-tests/pkg-tests-specs/sources/commands/rebuild.test.js

@@ -692,6 +692,9 @@ describe(`Dragon tests`, () => {
           `pkg-b`,
         ],
       },
+      {
+        enableScripts: true,
+      },
       async ({path, run, source}) => {
         // This dragon test represents the following scenario:
         //

packages/acceptance-tests/pkg-tests-specs/sources/dragon.test.js

@@ -73,6 +73,7 @@ describe(`Install Artifact Cleanup`, () => {
               [`no-deps-scripted`]: `1.0.0`,
             },
           }, {
+            enableScripts: true,
             pnpEnableEsmLoader: true,
           }, async ({path, run, source}) => {
             await run(`install`);

packages/acceptance-tests/pkg-tests-specs/sources/features/installArtifactCleanup.test.ts

@@ -105,6 +105,7 @@ describe(`Node_Modules`, () => {
         },
       },
       {
+        enableScripts: true,
         nodeLinker: `node-modules`,
       },
       async ({path, run, source}) => {
@@ -1760,6 +1761,7 @@ describe(`Node_Modules`, () => {
         },
       },
       {
+        enableScripts: true,
         nodeLinker: `node-modules`,
       },
       async ({path, run, source}) => {

packages/acceptance-tests/pkg-tests-specs/sources/node-modules.test.ts

@@ -1326,6 +1326,9 @@ describe(`Plug'n'Play`, () => {
       {
         dependencies: {[`no-deps-scripted`]: `1.0.0`},
       },
+      {
+        enableScripts: true,
+      },
       async ({path, run, source}) => {
         await run(`install`);
 
@@ -1389,6 +1392,9 @@ describe(`Plug'n'Play`, () => {
       {
         dependencies: {[`no-deps-scripted`]: `1.0.0`},
       },
+      {
+        enableScripts: true,
+      },
       async ({path, run, source}) => {
         await run(`install`);
 
@@ -1953,6 +1959,9 @@ describe(`Plug'n'Play`, () => {
           'no-deps-scripted': `*`,
         },
       },
+      {
+        enableScripts: true,
+      },
       async ({path, run, source}) => {
         await run(`install`);
 

packages/acceptance-tests/pkg-tests-specs/sources/pnp.test.js

@@ -342,7 +342,9 @@ describe(`Scripts tests`, () => {
 
       test(
         `it should run install scripts during the install`,
-        makeTemporaryEnv({dependencies: {[`no-deps-scripted`]: `1.0.0`}}, async ({path, run, source}) => {
+        makeTemporaryEnv({dependencies: {[`no-deps-scripted`]: `1.0.0`}}, {
+          enableScripts: true,
+        }, async ({path, run, source}) => {
           await run(`install`);
 
           await expect(source(`require('no-deps-scripted/log.js')`)).resolves.toEqual([
@@ -457,7 +459,9 @@ describe(`Scripts tests`, () => {
 
       test(
         `it should abort with an error if a package can't be built`,
-        makeTemporaryEnv({dependencies: {[`no-deps-scripted-to-fail`]: `1.0.0`}}, async ({path, run, source}) => {
+        makeTemporaryEnv({dependencies: {[`no-deps-scripted-to-fail`]: `1.0.0`}}, {
+          enableScripts: true,
+        }, async ({path, run, source}) => {
           await expect(run(`install`)).rejects.toThrow();
         }),
       );
@@ -522,6 +526,9 @@ describe(`Scripts tests`, () => {
           {
             dependencies: {[`binding-gyp-scripts`]: `1.0.0`},
           },
+          {
+            enableScripts: true,
+          },
           async ({path, run, source}) => {
             await run(`install`, {env: {}});
 
@@ -540,6 +547,8 @@ describe(`Scripts tests`, () => {
           dependencies: {
             [`no-deps-scripted`]: `1.0.0`,
           },
+        }, {
+          enableScripts: true,
         }, async ({path, run, source}) => {
           await run(`install`);
 

packages/acceptance-tests/pkg-tests-specs/sources/script.test.ts

@@ -17,6 +17,14 @@ Our implementation has a couple of differences with the npm one. Like most other
 You can exclude your `devDependencies` (and their transitive dependencies) from the report by running the command with `--environment production`.
 :::
 
+## Postinstalls
+
+Yarn doesn't run postinstalls by default ever since 4.14. You must either enable them globally by adding `enableScripts: true` to your `.yarnrc.yml`, or on a by-package basis using `dependenciesMeta` in your top-level `package.json`.
+
+## Age gate
+
+Yarn 4.12 introduced `npmMinimalAgeGate` to restrict packages installed on your machine to only packages that got published at least N days prior. The `npmPreapprovedPackages` setting also lets you bypass this check for specific packages.
+
 ## Hardened mode
 
 The hardened mode can be set (or disabled) using either the `enableHardenedMode` setting or by defining `YARN_ENABLE_HARDENED_MODE=1|0` in your environment variables, but in most cases you won't even have to think about it - the hardened mode is enabled by default when Yarn detects it runs in a pull request from a public GitHub repository.