Skip to main content

安全性

审计

¥Audits

Yarn 在运行 yarn install 时默认不运行审核,因为这应该在 cron 任务中执行。但是,你可以通过运行 yarn npm audit 随时执行审核。

¥Yarn doesn't run audits by default when running yarn install, as this should rather be performed in a cron task. You can however perform audits whenever you want by running yarn npm audit.

信息

我们的实现与 npm 实现有几个不同之处。与大多数其他 Yarn 命令一样,默认情况下,yarn npm audit 仅适用于当前工作区的直接依赖。要获取整个项目的报告,请使用 -A,--all 和/或 -R,--recursive 标志。

¥Our implementation has a couple of differences with the npm one. Like most other Yarn commands, yarn npm audit, by default, only applies on the direct dependencies from the current workspace. To get a report on the whole project, use the -A,--all and/or -R,--recursive flags.

提示

你可以通过使用 --environment production 运行命令从报告中排除你的 devDependencies(及其传递依赖)。

¥You can exclude your devDependencies (and their transitive dependencies) from the report by running the command with --environment production.

强化模式

¥Hardened mode

可以使用 enableHardenedMode 设置或在环境变量中定义 YARN_ENABLE_HARDENED_MODE=1|0 来设置(或禁用)强化模式,但在大多数情况下,你甚至不必考虑它 - 当 Yarn 检测到它在来自公共 GitHub 存储库的拉取请求中运行时,默认情况下启用强化模式。

¥The hardened mode can be set (or disabled) using either the enableHardenedMode setting or by defining YARN_ENABLE_HARDENED_MODE=1|0 in your environment variables, but in most cases you won't even have to think about it - the hardened mode is enabled by default when Yarn detects it runs in a pull request from a public GitHub repository.

在此模式下,Yarn 将在运行 yarn install 时自动启用 --check-resolutions--refresh-lockfile 标志,这应该可以保护你免受 锁文件中毒 造成的大多数攻击,但安装速度会有所降低。

¥Under this mode, Yarn will automatically enable the --check-resolutions and --refresh-lockfile flags when running yarn install, which should protect you against most attacks caused by lockfile poisoning, at the cost of a little bit of install speed.

危险

强化模式使安装速度明显变慢,因为 Yarn 必须查询注册表以确保锁定文件中包含的信息准确无误。如果你的 CI 管道运行多个作业,我们建议在除其中一个之外的所有作业中禁用强化模式,以限制性能影响。

¥The hardened mode makes installs significantly slower as Yarn has to query the registry to make sure the information contained in the lockfile are accurate. If your CI pipeline runs multiple jobs, we recommend disabling the hardened mode in all but one of them so as to limit the performance impact.