Antoine du Hamel
Antoine du Hamel
Hey, good catch, thanks for exploring that. If you are willing to send a PR, that'd be awesome! No dev agreements to sign :)
AKAICT, none of the package managers that Corepack currently supports sign their releases. If Yarn is the easiest one to sign, could we start with this one? @arcanis do you...
It looks like this was originally possible, and was removed in https://github.com/nodejs/corepack/pull/18.
> What I mean is that I don't think the user should be interacting with the corepack cli (it could still be implemented in corepack under the hood though). For...
> > Adding a feature to corepack CLI doesn't force anyone to use it though > > I don't agree with this - the JS community is large, and many...
Is it something you'd like to open a PR for?
> 1. This negates the hash protection of [chore: add sha1 to default versions when available #137](https://github.com/nodejs/corepack/pull/137). > 2. This could break the reproducibility of builds or CI jobs that...
> But good defaults matter, and I’m proposing that the default should remain the secure known-good version. That's the catch, the known-good version is more likely to be less secure...
> > I don't think most users care about that kind of determinism (otherwise, they would set a specific version either system-wise > > What makes you think that users...
> This change isn’t giving them the latest version. It’s giving them the latest version _as of_ the time they ran `corepack prepare`. That could be ages earlier than the...