From 90ed4cc115c6030ead910d408150869d7e265c26 Mon Sep 17 00:00:00 2001
From: Damien Elmes <gpg@ankiweb.net>
Date: Wed, 17 Sep 2025 09:31:06 +1000
Subject: [PATCH] Disable NPM package scripts, and assert lockfile unchanged

With all the recent supply chain attacks, this seems prudent. There are
three in our current package list. esbuild's is just a performance
optimization (https://github.com/evanw/esbuild/issues/4085), and
dprint's gets done when we invoke .bin/dprint anyway. svelte-preprocess
simply prints something to the screen.
---
 .yarnrc.yml              | 1 +
 build/runner/src/yarn.rs | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.yarnrc.yml b/.yarnrc.yml
index 3186f3f07..94f5c254e 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -1 +1,2 @@
 nodeLinker: node-modules
+enableScripts: false
diff --git a/build/runner/src/yarn.rs b/build/runner/src/yarn.rs
index 9e1bd5b58..7724ed04a 100644
--- a/build/runner/src/yarn.rs
+++ b/build/runner/src/yarn.rs
@@ -28,7 +28,11 @@ pub fn setup_yarn(args: YarnArgs) {
                 .arg("--ignore-scripts"),
         );
     } else {
-        run_command(Command::new(&args.yarn_bin).arg("install"));
+        run_command(
+            Command::new(&args.yarn_bin)
+                .arg("install")
+                .arg("--immutable"),
+        );
     }
 
     std::fs::write(args.stamp, b"").unwrap();