Thanks. I was thinking of a CI step that checked the SHA-256 of yarn.lock against a "last known good" value committed by an authorized committer and enforced by a branch policy.
Signed audit logs seem like a good idea.
Now...how to get developers to avoid using NPM and Yarn altogether on sensitive projects...
Signed audit logs seem like a good idea.
Now...how to get developers to avoid using NPM and Yarn altogether on sensitive projects...