Skip to content

test: remove Yarn Modern approvedGitRepositories#1765

Merged
mschile merged 1 commit into
cypress-io:masterfrom
MikeMcC399:remove/yarn-approved-git-repositories
May 18, 2026
Merged

test: remove Yarn Modern approvedGitRepositories#1765
mschile merged 1 commit into
cypress-io:masterfrom
MikeMcC399:remove/yarn-approved-git-repositories

Conversation

@MikeMcC399
Copy link
Copy Markdown
Collaborator

@MikeMcC399 MikeMcC399 commented May 16, 2026
edited by cursor Bot
Loading

Situation

The configuration files in the Yarn Modern example directories:

include a section that was automatically added by Yarn migration in preparation of PR #1728:

approvedGitRepositories:
  - '**'
  • Yarn added this for backwards compatibility, however the dependencies for Yarn Modern examples do not require to be installed from a GitHub repository and allowing it is a security risk.
  • An additional issue is a conflict between Yarn and Prettier. yarn set version latest changes from single quotes to double quotes, whereas Prettier requires single quotes. This is separately reported in [Bug?]: approvedGitRepositories overwritten with doublequotes yarnpkg/berry#7138

Change

In the Yarn Modern example configuration files:

remove the section which allows installing dependencies from arbitrary repositories instead of from the npm registry:

approvedGitRepositories:
  - '**'

Verification

git clean -xfd
npm install corepack@latest -g
corepack enable yarn
corepack install yarn@latest -g

cd examples

cd yarn-modern
yarn install
cd ..

cd yarn-modern-pnp
yarn install
cd ..

cd ..

./scripts/update-cypress-latest-yarn.sh

Confirm no errors and no uncommitted changes produced.

Note

Low Risk
Low risk config-only change limited to example Yarn settings; it mainly reduces an overly permissive install allowance and shouldn’t affect installs that use registry dependencies.

Overview
Removes approvedGitRepositories: ['**'] from the examples/yarn-modern and examples/yarn-modern-pnp Yarn configs, eliminating the ability for these examples to install dependencies from arbitrary git repositories.

All other Yarn settings in these examples remain unchanged (e.g., enableScripts, and nodeLinker for yarn-modern).

Reviewed by Cursor Bugbot for commit bdd51ba. Bugbot is set up for automated code reviews on this repo. Configure here.

@MikeMcC399 MikeMcC399 self-assigned this May 16, 2026
@cypress-app-bot
Copy link
Copy Markdown
Collaborator

cypress-app-bot commented May 16, 2026

@MikeMcC399 MikeMcC399 added type: enhancement New feature or request tests labels May 16, 2026
@MikeMcC399 MikeMcC399 marked this pull request as ready for review May 16, 2026 11:16
@MikeMcC399 MikeMcC399 requested a review from mschile May 18, 2026 05:30
@mschile mschile merged commit 983743e into cypress-io:master May 18, 2026
90 checks passed
@MikeMcC399 MikeMcC399 deleted the remove/yarn-approved-git-repositories branch May 18, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mschile mschile mschile approved these changes

Assignees

@MikeMcC399 MikeMcC399

Labels

tests type: enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MikeMcC399 @cypress-app-bot @mschile