Feature request: Allowlist for third-party scripts run during installation

[Gudahtt]

Problem

Third-party scripts (i.e. scripts from dependencies) run during installation can be used for supply-chain attacks, which have been increasingly common recently.

Feature request

To protect against this risk, Yarn should run no third-party scripts by default. The only code run by default during installation should be from Yarn itself, the project author directly (i.e. top-level install scripts), or foundational system dependencies (e.g. Node.js, Bash, etc.).

Instead of running by default, install scripts from dependencies can be selectively enabled using an allowlist. This allows the project author to accept the risks of install scripts on a case-by-case basis, giving them the opportunity to do whatever analysis/audit/risk assessment they deem necessary. It also protects against new unexpected or unwanted install scripts.

[Gudahtt]

Background

Yarn v4

You can accomplish something like this today with Yarn v4 by setting enableScripts to false, then adding an entry to dependenciesMeta with built: true for each dependency you want to enable install scripts for. However, this is still unsafe for two reasons:

1. Dependencies are not uniquely identifiable
   • dependenciesMeta entries are keyed by ident (i.e. package scope + package name). The same ident can be shared between dependencies with completely different authors.
     • For example, a malicious package could add a git: dependency that shares a name with an allowed package, effectively bypassing the allowlist.
     • Or a previously trusted package could be taken over by a malicious or careless maintainer, again letting a risky install script get past the allowlist without the opportunity for the project author to scrutinize it.
2. enableScripts and dependenciesMeta.built is not considered for git: dependencies. Any git: dependencies (either direct or transitive dependencies) bypass the allowlist.

Effectively Yarn v4 does not allow preventing install scripts by default, and it provides no effective means of selectively allowing install scripts.

Third-party tools

There exist third-party tools (e.g. @lavamoat/allow-scripts) that can be used to selectively enable install scripts by package source (after setting enableScripts to false).

There are also tools that will prevent the use of git: dependencies by scanning the lockfile (e.g. @lavamoat/git-safe-dependencies), which could be setup in CI as a lint step.

However, even when using both tools, there is no protection against git: dependencies being run locally.

Hypothetically, a third-party solution could exist with the help of a Yarn plugin that disallowed git: dependencies. But in my opinion, the risks posed by supply-chain attacks are significant enough that this deserves a first-party solution. We want Yarn to be secure by default, without specialized knowledge or tools.

[Gudahtt]

Suggested solution

Deprecate enableScripts and dependenciesMeta.built, and introduce a new setting to .yarnrc.yml: allowScripts.

allowScripts would be keyed by locator, so that they would uniquely identify a package source. The value would be either true (to allow install scripts), false (to disallow install scripts), or a map of more fine-grained settings (such as which install scripts to allow, or whether to run install for a git: dependency or not).

e.g.

allowScripts:
  "@foo/bar@npm:1.0.0": true
  "@foo/bar@npm:2.0.0": false
  "@foo/bar@git:https://github.com/yarnpkg/bar.git":
    preinstall: false,
    install: true,
    postinstall: false,

I am unsure about the format, and which settings would be necessary. I will consider this further.