Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "feat: build codegen on postinstall (#46227)" #46420

Closed
wants to merge 1 commit into from
Closed

Revert "feat: build codegen on postinstall (#46227)" #46420

wants to merge 1 commit into from

Conversation

Saadnajmi
Copy link
Contributor

@Saadnajmi Saadnajmi commented Sep 10, 2024
edited
Loading

This reverts commit 0cb97f0.

Summary:

Revert this commit that adds a post install script for a couple of reasons:

  1. (EDIT: This turns out to be unrelated) The postinstall script causes yarn install to fail on React Native macOS, where we use Yarn 4. I'm not entirely sure why, but I probably won't debug it for the rest of the reasons.
  2. postinstall scripts (at least inside Microsoft) are viewed as a security risk. Any package in your dependency tree can get compromised, add the phase, and run arbitrary code. This has happened in the past with React Native past if I recall correctly. As such, we disable postinstall scripts in many of our repos (including rnx-kit and react-native-test-app).
  3. The issue this is trying to solve is to help newcomers avoid a stale cache when they switch branches in the React Native monorepo and only run yarn install. I think it would be sufficient to add some documentation somewhere that it is expected one runs yarn && yarn build to use this repo locally? That's a fairly common practice in monorepos, at least ones inside Microsoft.

Changelog:

[INTERNAL] [SECURITY] - Remove post install script phase in the React Native monorepo

Test Plan:

CI should pass

@facebook-github-bot facebook-github-bot added CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. p: Microsoft Partner: Microsoft Partner labels Sep 10, 2024
@react-native-bot
Copy link
Collaborator

react-native-bot commented Sep 10, 2024
edited
Loading

Warnings
⚠️ 🔒 package.json - Changes were made to package.json. This will require a manual import by a Facebook employee.

Generated by 🚫 dangerJS against 7d40d69

@facebook-github-bot facebook-github-bot added the Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. label Sep 10, 2024
@Saadnajmi Saadnajmi mentioned this pull request Sep 10, 2024
Open
@huntie huntie mentioned this pull request Sep 16, 2024
Merged
@facebook-github-bot
Copy link
Contributor

@huntie has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@facebook-github-bot facebook-github-bot added the Merged This PR has been merged. label Sep 16, 2024
@facebook-github-bot
Copy link
Contributor

@huntie merged this pull request in 8ac80e3.

@react-native-bot
Copy link
Collaborator

This pull request was successfully merged by @Saadnajmi in 8ac80e3

When will my fix make it into a release? | How to file a pick request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Merged This PR has been merged. p: Microsoft Partner: Microsoft Partner Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Saadnajmi @react-native-bot @facebook-github-bot