Port Berry security defaults#301
Conversation
…vedGitRepositories Ports the default-changing portions of four Berry PRs: - berry#7089: `enableScripts` now defaults to `false` - berry#7135: `npmMinimalAgeGate` now defaults to `1d` (was unset), with `--no-time-gate` flag on `yarn add` and `yarn up` - berry#7091: Adds `approvedGitRepositories` setting (empty by default, blocking all git dependencies until explicitly approved) - berry#7090: Skipped (exec: protocol doesn't exist in zpm) Lockfile migration machinery is intentionally omitted. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 6cd59b5. Configure here.
⏱️ Benchmark Resultsgatsby install-full-cold
📊 Raw benchmark data (gatsby install-full-cold)Base times: 4.403s, 4.469s, 4.450s, 4.258s, 4.517s, 4.347s, 4.399s, 4.459s, 4.373s, 4.272s, 4.368s, 4.465s, 4.438s, 4.371s, 4.327s, 4.422s, 4.394s, 4.371s, 4.445s, 4.495s, 4.365s, 4.413s, 4.375s, 4.404s, 4.369s, 4.447s, 4.426s, 4.375s, 4.336s, 4.460s Head times: 4.349s, 4.333s, 4.401s, 4.331s, 4.332s, 4.409s, 4.445s, 4.345s, 4.408s, 4.430s, 4.389s, 4.389s, 4.443s, 4.462s, 4.431s, 4.415s, 4.425s, 4.453s, 4.429s, 4.365s, 4.437s, 4.401s, 4.436s, 4.459s, 4.428s, 4.361s, 4.383s, 4.288s, 4.358s, 4.394s gatsby install-cache-only
📊 Raw benchmark data (gatsby install-cache-only)Base times: 1.322s, 1.296s, 1.290s, 1.300s, 1.314s, 1.303s, 1.310s, 1.281s, 1.311s, 1.309s, 1.322s, 1.303s, 1.304s, 1.284s, 1.308s, 1.322s, 1.323s, 1.303s, 1.316s, 1.296s, 1.306s, 1.283s, 1.293s, 1.295s, 1.292s, 1.293s, 1.297s, 1.296s, 1.275s, 1.300s Head times: 1.336s, 1.288s, 1.299s, 1.305s, 1.330s, 1.310s, 1.302s, 1.302s, 1.293s, 1.315s, 1.313s, 1.286s, 1.317s, 1.319s, 1.298s, 1.328s, 1.310s, 1.316s, 1.331s, 1.282s, 1.298s, 1.302s, 1.306s, 1.305s, 1.282s, 1.311s, 1.289s, 1.299s, 1.281s, 1.274s gatsby install-cache-and-lock (warm, with lockfile)
📊 Raw benchmark data (gatsby install-cache-and-lock (warm, with lockfile))Base times: 0.350s, 0.351s, 0.352s, 0.350s, 0.349s, 0.345s, 0.349s, 0.347s, 0.353s, 0.353s, 0.351s, 0.355s, 0.358s, 0.352s, 0.353s, 0.355s, 0.355s, 0.362s, 0.372s, 0.347s, 0.346s, 0.351s, 0.347s, 0.348s, 0.350s, 0.347s, 0.350s, 0.348s, 0.348s, 0.348s Head times: 0.351s, 0.349s, 0.346s, 0.351s, 0.350s, 0.356s, 0.353s, 0.345s, 0.359s, 0.349s, 0.348s, 0.351s, 0.346s, 0.350s, 0.347s, 0.346s, 0.349s, 0.348s, 0.353s, 0.351s, 0.352s, 0.344s, 0.353s, 0.351s, 0.351s, 0.353s, 0.349s, 0.348s, 0.351s, 0.350s |
1 participant
Summary
Ports the default-changing portions of four Berry PRs to tighten security for new projects:
enableScriptsnow defaults tofalse(postinstall scripts disabled by default)npmMinimalAgeGatenow defaults to1d(brand new releases quarantined for 24h), with--no-time-gateflag onyarn addandyarn upto bypassapprovedGitRepositoriessetting (empty by default, blocking all git dependencies until explicitly approved via glob patterns)Lockfile migration is omitted since this is a new major - only the new defaults and flags are ported.
Test plan
cargo checkpassescargo testpasses (3 pre-existing failures inpath_iteratorsunrelated to this PR)Note
High Risk
High risk because it changes default install behavior in security-sensitive paths (postinstall execution, npm version selection, and git dependency fetching), which can break existing workflows and block previously-working dependencies unless explicitly configured.
Overview
Ports stricter security defaults into ZPM: postinstall scripts are now disabled by default (
enableScripts: false), and npm installs now enforce a minimum package release age vianpmMinimalAgeGatedefaulting to1d(with a--no-time-gateescape hatch onyarn add/yarn up).Adds an allowlist for git dependencies via new
approvedGitRepositories(default empty), enforcing glob-pattern matching across git resolution and cloning paths (including the GitHub tarball fast-path) and returning a dedicatedApprovedGitRepositoriesErrorwhen blocked. Tests are adjusted to opt out of the new defaults via env overrides where needed.Reviewed by Cursor Bugbot for commit 78799bf. Bugbot is set up for automated code reviews on this repo. Configure here.