containerbuildsystem / cachi2 / 6932205573 / 2
97%
main: 97%

DEFAULT BRANCH: main
Ran
Files 32
Run time 1s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 97.346% (+0.1%) from 97.246%
6932205573.2

push

github

eskultety 
package_managers: yarn: Refuse projects using zero-install workflow

The concept of zero installs, i.e. no install needed (git clone is
sufficient), is inherently flawed for a number of reasons:
    - taking over maintenance (by the means of manual updates) of a
      project's dependencies by baking their sources in to the given
      project's repository
    - creating unnecessary bloat (often in form of binary formats) in
      the repository
    - moving the trust in package contents from the official packaging
      tooling and official public registries to a given project which
      doesn't really solve the biggest security problem of many public
      packaging repositories - unvetted contents

just to mention a few. In context of Yarn what the above would mean is
checking in dependencies' ZIP files into the repository. While that may
sound like an acceptable use case since Yarn can verify integrity of
the ZIP archives, some dependencies (due to e.g. post-install scripts)
may end up being unpacked into a .yarn/unplugged directory, effectively
creating an exploded node_modules/ dependency tree hierarchy inside the
repository which would be needed for the zero install use case to work.
However, we would have to employ a complex methodology (still
preventing arbitrary code execution) of reliably verifying such
dependencies in order to produce an accurate SBOM. Since we already
reject projects containing 'node_modules' directory inside the
repository for NPM, we can use it as a precedent here.

The whole situation would be different if Yarn provided a mechanism to
verify integrity of 'unplugged' contents the same way it does it for
ZIP files, but unfortunately it doesn't [1].

As a result of this patch some test variants involving the zero-install
use case which no longer applies have been adjusted accordingly and
dedicated test cases dealing with zero installs were added.

[1] Even if one sets the 'immutablePatterns' [2] YarnRc configuration
opti... (continued)

3081 of 3165 relevant lines covered (97.35%)

0.97 hits per line

Source Files on job python-3.11 - 6932205573.2