fix: sanitize .yarnrc.yml in publish-preview to prevent token exfiltration#227
Merged
cryptodev-2s merged 2 commits intomainfrom Mar 17, 2026
Merged
fix: sanitize .yarnrc.yml in publish-preview to prevent token exfiltration#227cryptodev-2s merged 2 commits intomainfrom
cryptodev-2s merged 2 commits intomainfrom
Conversation
YARN_NPM_REGISTRY_SERVER only overrides the global npmRegistryServer. Scoped registries (npmScopes.<scope>.npmRegistryServer) take precedence, allowing a malicious PR to redirect yarn npm publish to an attacker server and exfiltrate the NPM token. Strip both npmRegistryServer and npmScopes from .yarnrc.yml before publishing.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
npmPublishRegistry takes precedence over npmRegistryServer for yarn npm publish, bypassing the YARN_NPM_REGISTRY_SERVER env var.
mcmire
reviewed
Mar 17, 2026
| # Strip registry overrides from .yarnrc.yml to prevent registry | ||
| # redirects that could exfiltrate the NPM token. npmPublishRegistry | ||
| # takes precedence over npmRegistryServer for yarn npm publish, and | ||
| # npmScopes can override per-scope. YARN_NPM_REGISTRY_SERVER env var |
Contributor
There was a problem hiding this comment.
Do we no longer need to set YARN_NPM_REGISTRY_SERVER below, then? The registry URL is already configured in each workspace package's package.json (under publishConfig.registry), so we shouldn't need to override it.
Contributor
Author
There was a problem hiding this comment.
I would say it's more defense-in-depth.
Contributor
There was a problem hiding this comment.
Ah, yes, because a PR could also update the registry for a package by updating its package.json. Okay this change makes sense.
mcmire
approved these changes
Mar 17, 2026
4 tasks
github-merge-queue bot
pushed a commit
to MetaMask/core
that referenced
this pull request
Mar 18, 2026
## Explanation Replace the inline preview build workflow with the reusable `publish-preview` workflow from `MetaMask/github-tools@v1` and delete old scripts that are no longer needed. ## References - MetaMask/github-tools#223 - MetaMask/github-tools#227 ## Checklist - [x] I've updated the test suite for new or updated code as appropriate - [x] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [x] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [x] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > CI publishing logic is replaced with a reusable workflow, which changes how preview artifacts are built and published with an NPM token. Risk is moderate because it impacts the release pipeline, but the change is largely a refactor/removal of custom scripting. > > **Overview** > Replaces the repo’s inline `publish-preview` GitHub Actions workflow (fork checks, build/upload artifacts, manifest validation, publish, and PR commenting) with a single call to the reusable `MetaMask/github-tools` `publish-preview` workflow. > > Removes the now-unused local preview-build helper scripts (`scripts/generate-preview-build-message.ts`, `scripts/prepare-preview-builds.sh`, and `scripts/prepare-preview-builds.jq`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 183cdc7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follows up on #223 (comment).
YARN_NPM_REGISTRY_SERVERonly overrides the globalnpmRegistryServer. A malicious PR could still redirectyarn npm publishvia:npmPublishRegistry— takes precedence overnpmRegistryServerfor publishnpmScopes.<scope>.npmRegistryServer— scoped overrides bypass the global env varThis strips all registry-related config (
npmRegistryServer,npmPublishRegistry,npmScopes) from.yarnrc.ymlin downloaded artifacts before publishing.