Merge pull request #156 from Typeform/appsec/harden-yarn-config

Thr44 · web-flow · commit dfecb02bff46 · 2026-04-28T10:49:41.000+01:00
fix(PLT-3359): harden yarn configuration
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,5 +1,4 @@
 version: 2
-
 registries:
   npm-github:
     type: npm-registry
@@ -10,7 +9,6 @@ registries:
     url: https://github.com
     username: x-access-token
     password: '${{ secrets.GH_TOKEN }}'
-
 updates:
   - package-ecosystem: npm
     schedule:
@@ -27,7 +25,11 @@ updates:
     registries:
       - npm-github
       - git-github
-
+    cooldown:
+      default:
+        days: 7
+      exclude-patterns:
+        - "@typeform/*"
   - package-ecosystem: github-actions
     schedule:
       interval: weekly
diff --git a/.yarnrc b/.yarnrc
@@ -0,0 +1,2 @@
+ignore-scripts true   # blocks all postinstall scripts
+save-exact true       # forces exact pins on yarn add

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ignore-scripts true # blocks all postinstall scripts`
	`2`	`+save-exact true # forces exact pins on yarn add`