This article suggests adding configuration to
.npmrc in your project to associate a scope with a private registry to reduce the risk of a npm substitution attack (where someone might deliberately publish a malicious public package with the same name).
How can we achieve a similar effect in a Yarn 2 project? I've tried adding a
.yarnrc.yml file in my project root:
npmScopes: someScope: npmRegistryServer: https://npm.pkg.github.com
We also have a home-directory
~/.yarnrc.yml for each developer with similar configuration, but additionally with an appropriate
npmAuthToken to authenticate.
However, when I do a
yarn install, I get an
Invalid authentication (as an anonymous user) error for packages in that scope. Presumably the project-specific
.yarnrc.yml is overriding the settings from the per-user
~/.yarnrc.yml, so the auth information is no longer present?
The mitigation I'm after is that if a developer forgets to run
yarn npm login, then it won't check the public registry for packages in a particular scope. Is there a way to do this in Yarn 2?