Guidelines for how to install dependencies in this project
In light of some of the recent npm security issues
[1]
[2],
this document looks to show how we're looking to address some of the issues with
installing dependencies from a live registry by taking advantage of
Yarn's offline feature.
The majority of steps taken are inspired by
this tweet from Lee
Byron.
We specify a .yarnrc file in this project that sets the path for Yarn's
offline mirror to the folder .yarn-offline-mirror. This folder contains all
the tarballs for the packages that the project uses. What this allows us to do
is run yarn install --offline in our Continuous Integration environment so
that we don't have to fetch from the live registry in our builds.
When installing a dependency, you can just do yarn add <dependency-name> as
normal. The only difference now is that you also will check in the corresponding
tarball entry in .yarn-offline-mirror as well so that we don't have to fetch
this dependency from the live registry during Continuous Integration builds.