Disable NPM package scripts, and assert lockfile unchanged

With all the recent supply chain attacks, this seems prudent. There are three in our current package list. esbuild's is just a performance optimization (https://github.com/evanw/esbuild/issues/4085), and dprint's gets done when we invoke .bin/dprint anyway. svelte-preprocess simply prints something to the screen.
2025-09-18 14:02:21 -04:00 · 2025-09-17 09:31:06 +10:00 · 2025-09-17 09:31:06 +10:00 · 90ed4cc115
commit 90ed4cc115
parent 4506ad0c97
2 changed files with 6 additions and 1 deletions
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@ -1 +1,2 @@
 nodeLinker: node-modules
+enableScripts: false
--- a/build/runner/src/yarn.rs
+++ b/build/runner/src/yarn.rs
@ -28,7 +28,11 @@ pub fn setup_yarn(args: YarnArgs) {
                .arg("--ignore-scripts"),
        );
    } else {
-        run_command(Command::new(&args.yarn_bin).arg("install"));
+        run_command(
+            Command::new(&args.yarn_bin)
+                .arg("install")
+                .arg("--immutable"),
+        );
    }

    std::fs::write(args.stamp, b"").unwrap();