Switch to yarn to fix security vulnerabilities

- Replace all `npm` commands with `yarn` The reason to do this switch is due to two reasons. The first is that `npm install` completes in 1m30s, while `npm install` completes in 50s, on average. The second is explained in the point below. This runtime difference might appear insignificant, but may improve development time over the long run. - Remove `preinstall` script and change `resolutions` packages The `preinstall` script is misleading and does not run before dependencies are installed, and this is acknowledged in npm/cli#2660 . With the switch to `yarn`, the `preinstall` script becomes obsolete as `yarn` will take care of the `resolutions` without needing a script. In addition, the cause of the security issues was misattributed to the wrong dependency in the previous commit. Remove this and add the true culprits.
utmgdsc · Sep 19, 2021 · 3be69bc · 3be69bc
1 parent f084cd0
commit 3be69bc
Show file tree

Hide file tree

Showing 7 changed files with 12,880 additions and 17,935 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,13 +2,13 @@
 FROM node:alpine as client_builder
 WORKDIR /app/client
 COPY client .
-RUN npm install --production && npm run build
+RUN yarn install --production && yarn run build
 
 # => Build server
 FROM node:alpine as server_builder
 WORKDIR /app/server
 COPY server .
-RUN npm install && npm run build
+RUN yarn install && yarn run build
 
 # => Run container
 FROM nginx:alpine as base

diff --git a/client/package-lock.json b/client/package-lock.json
diff --git a/client/package.json b/client/package.json
@@ -19,11 +19,11 @@
   "scripts": {
     "start": "react-scripts start",
     "build": "react-scripts build",
-    "test": "react-scripts test",
-    "preinstall": "npx npm-force-resolutions"
+    "test": "react-scripts test"
   },
   "resolutions": {
-    "postcss": "^8.2.10"
+    "browserslist": "^4.16.5",
+    "glob-parent": "^5.1.2"
   },
   "eslintConfig": {
     "extends": [

diff --git a/client/yarn.lock b/client/yarn.lock