[Bug?]: YARN_IGNORE_SCRIPTS environment variable shouldn't result in an error

[tbroyer]

Self-service

• I'd be willing to implement a fix

Describe the bug

In an effort to harden our CI (the Axios incident was the final straw), we've added the following environment variables to disable all postinstall scripts (even if it possibly does more than just that, particularly with NPM), overriding any project-local configuration:

# For NPM
npm_config_ignore_scripts=true
# For Yarn Classic
YARN_IGNORE_SCRIPTS=true
# For Yarn Modern
YARN_ENABLE_SCRIPTS=false

This however broke all the builds that use Yarn Modern:

Usage Error: Unrecognized or legacy configuration settings found: ignoreScripts - run "yarn config" to see the list of settings supported in Yarn (in <environment>)

IGNORED_ENV_VARIABLES at https://github.com/yarnpkg/berry/blob/%40yarnpkg/cli/4.14.1/packages/yarnpkg-core/sources/Configuration.ts#L67 should probably include ignoreScripts in the same way it ignores YARN_REGISTRY.

To reproduce

$ docker run --rm \
      -e npm_config_ignore_scripts=true -e YARN_IGNORE_SCRIPTS=true -e YARN_ENABLE_SCRIPTS=false \
      node:lts-slim \
      corepack yarn@latest --version
4.14.1
$ docker run --rm \
    -e npm_config_ignore_scripts=true -e YARN_IGNORE_SCRIPTS=true -e YARN_ENABLE_SCRIPTS=false \
    node:lts-slim \
    corepack yarn@latest dlx -q envinfo --preset jest
Usage Error: Unrecognized or legacy configuration settings found: ignoreScripts - run "yarn config" to see the list of settings supported in Yarn (in <environment>)

$ yarn add [--json] [-F,--fixed] [-E,--exact] [-T,--tilde] [-C,--caret] [-D,--dev] [-P,--peer] [-O,--optional] [--prefer-dev] [-i,--interactive] [--cached] [--mode #0] ...

Environment

System:
    OS: Linux 6.19 Debian GNU/Linux 12 (bookworm) 12 (bookworm)
    CPU: (8) x64 Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
  Binaries:
    Node: 24.15.0 - /tmp/xfs-b749a6f7/node
    Yarn: 1.22.22 - /tmp/xfs-b749a6f7/yarn
    npm: 11.12.1 - /usr/local/bin/npm

Additional context

As a workaround, I found the undocumented YARN_ENABLE_STRICT_SETTINGS:

$ docker run --rm \
      -e npm_config_ignore_scripts=true -e YARN_IGNORE_SCRIPTS=true -e YARN_ENABLE_SCRIPTS=false \
      -e YARN_ENABLE_STRICT_SETTINGS=false \
      node:lts-slim \
      corepack yarn@latest --version
4.14.1
$ docker run --rm \
      -e npm_config_ignore_scripts=true -e YARN_IGNORE_SCRIPTS=true -e YARN_ENABLE_SCRIPTS=false \
      -e YARN_ENABLE_STRICT_SETTINGS=false \
      node:lts-slim \
      corepack yarn@latest dlx -q envinfo --preset jest

  System:
    OS: Linux 6.19 Debian GNU/Linux 12 (bookworm) 12 (bookworm)
    CPU: (8) x64 Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
  Binaries:
    Node: 24.15.0 - /tmp/xfs-b749a6f7/node
    Yarn: 1.22.22 - /tmp/xfs-b749a6f7/yarn
    npm: 11.12.1 - /usr/local/bin/npm

[brandonbothell]

Instead of disabling scripts, I would recommend pinning your dependencies to exact versions instead of with the caret operator ^.

That way, you don't have to disable a useful feature because of an avoidance of vetting code you enter into your project, and can instead move to verifying update contents before you download and install them.

I believe enableStrictSettings = false is the intended solution if you want to use multiple versions of yarn's configuration options with a single version of yarn without it being mad about it. From what I can tell, the IGNORED_ENV_VARIABLES containing YARN_REGISTRY is to help yarn detect whether it should allow using v1 or berry.