From c2ce365299d8a90aaa0a761515054fbef3152853 Mon Sep 17 00:00:00 2001
From: Ricardo Pinto <hessian_loom_0u@icloud.com>
Date: Mon, 1 Dec 2025 07:16:17 +0000
Subject: [PATCH] Added --ignore-scripts flag to yarn install

ref https://linear.app/ghost/issue/PRO-1540/

- there have been multiple recent npm incidents with compromised
packages using pre/post-install scripts to run malicious scripts
- we want to default to not running these scripts as a security
precaution, this matches behaviour of pnpm which is touted as a modern,
more secure, npm package manager
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index be5affc..4e89600 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -28,5 +28,5 @@ jobs:
         with:
           node-version: ${{ matrix.node }}
       - run: npm install yarn
-      - run: yarn install
+      - run: yarn install --ignore-scripts
       - run: yarn test:ci