Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request pins dependency versions across several package.json files and introduces a .yarnrc.yml configuration to enhance supply chain security, including an age gate for npm packages and disabling lifecycle scripts. A critical issue was identified where disabling lifecycle scripts globally will break the necessary postinstall setup for the project; it is recommended to use an allow-list for specific scripts instead.
| npmMinimalAgeGate: 10080 | ||
|
|
||
| # Disable ALL lifecycle scripts (postinstall, etc.) | ||
| enableScripts: false |
There was a problem hiding this comment.
Disabling all lifecycle scripts globally will block the postinstall scripts defined in cre/attestation/package.json and cre/verification/package.json. These scripts appear to be essential for the project's setup, specifically for running cre-setup and building the @save/core dependency. This change will break the automated installation process. To maintain supply chain protection while allowing these specific scripts, consider allow-listing them using dependenciesMeta in your package.json or ensure that the setup process is updated to include manual execution of these scripts.
1 participant
No description provided.