Maël Nison

Awesome! That's interesting - `@sapper` isn't a valid package name so it should have been rejected outright 😄 btw, if any of those generated packages has its own dependencies, then...

That makes sense - maybe the vendor files should be excluded from the watch, since the paths will change if the files change? Although I guess in `node_modules` installs the...

> Not sure I understand the thing about `yarn dev` needing `sapper` and `svelte` to be unplugged? They're just regular devDependencies, no? From what I gather you have a watcher...

I've submitted https://github.com/yarnpkg/berry/pull/315 which should mitigate the issue (`fs.watch` becomes a noop on vendor files - only those stored within zip archives are affected).

@felixakiragreen the fix for that can be found at https://github.com/sveltejs/sapper-template/pull/201. Basically you need to use aliases to make sure you can point the client module resolution to packages that aren't...

Hey! Thanks, I have a few comments - Is it a theoretical issue, or are you aware of attacks that could have been avoided by your measures? - Do you...

> This PoC is an improvement for facing issues like this and this. Unless I misunderstood something, the worm was only detected because it was bogus, not because someone actually...

Sounds duplicate with https://github.com/yarnpkg/website/pull/895 Sounds like yvm also has little to offer compared to `yarn policies set-version` (wasn't actually aware of this tool before 😄), so we probably don't want...

> Curious to the motivation behind having the tool version itself? Not relying on the network is a very common use case that's sometimes hard for people to figure out....

> Why someone want to have yarn-1.12.3.js in repository? It's like to commit extracted maven binary... No way. While I understand where you're coming from, reconsider this "no way" and...