Skip to content

fix: yarnrc security #797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brunozoric merged 2 commits into from
Jun 4, 2026
Merged

fix: yarnrc security #797

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e58870e
docs: clarify that stricter age gates may block Webiny upgrades on re…
brunozoric Jun 4, 2026
c506c1c
docs: fix age gate wording — Yarn will reject, not may reject
brunozoric Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,16 @@ npmMinimalAgeGate: 1d

A longer duration provides more protection but delays access to new releases. A shorter duration gives faster access but reduces the window for malicious packages to be caught.

<Alert type="warning" title="Compatibility with Webiny releases">

Webiny validates every release against a `3d` age gate. This means all third-party dependencies included in a Webiny release are guaranteed to be at least three days old at the time of release - but not necessarily older than that.

If you set a stricter age gate (for example `7d`) and install a new Webiny version on release day, Yarn will reject any third-party dependency that Webiny relies on if it was published less than seven days ago. The `npmPreapprovedPackages` list only exempts `@webiny/*` packages - it does not cover the third-party packages that Webiny depends on.

To avoid this, either keep the default `3d` value, or wait the difference between your age gate and `3d` after a Webiny release before upgrading. For example, with `7d`, wait four days after the release.

</Alert>

## Approved Git Repositories

```yaml .yarnrc.yml
Expand Down Expand Up @@ -146,6 +156,12 @@ The age gate blocked a package version. You have three options:
- **Preapprove** - add the package to `npmPreapprovedPackages` if you trust the publisher
- **Lower the gate** - reduce `npmMinimalAgeGate` (not recommended unless you understand the risk)

<Alert type="info" title="Seeing this right after a Webiny upgrade?">

If this error appears immediately after upgrading to a new Webiny version, your age gate is likely stricter than the `3d` default that Webiny uses. Third-party dependencies in the release may not yet meet your gate. Either wait for the packages to age past your threshold, or lower your age gate to `3d` to match Webiny's release process.

</Alert>

### "Lifecycle scripts are disabled"

A package tried to run a script during installation but `enableScripts: false` blocked it. If the package needs scripts to function correctly, allow them for that specific package rather than enabling scripts globally.
Expand Down