Closed issue by crtxcr on void-packages repository https://github.com/void-linux/void-packages/issues/40977 Description: There is an issue in the way the vscode template manages dependencies. The voidlinux vscode template contains the following patch: https://github.com/void-linux/void-packages/blob/master/srcpkgs/vscode/patches/ripgrep.patch It makes the packages.json point to a custom ripgrep nodejs module: https://github.com/atk/void-vscode-ripgrep.git As we can see, this is a voidlinux specific modification, primarily introduced in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf to make it build with ppc64le even though MS does not ship such binaries and does not support it: https://github.com/microsoft/vscode/issues/80042 **Problem** Should an attacker gain access to @atk 's account then he can put something malicious into that repo. Thus, it can be used to launch supply chain attacks against voidlinux users when vscode is build. The main problem is that there is is no specific git commit id pinned or anything, it just blindly takes the content of the repo. This should be addressed by for example either: (1) Getting rid of that ripgrep patch. As its reason for existing is to make it build on platforms not supported by upstream, the option of getting rid of it has to be mentioned I think. However, this implies some users would be affected. (2) By adding appropriate yaml.lock entries which would point to known good git commit ids. Furthermore, this only works because for that patch to work, the yarn option "--frozen-lockfile" was removed in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf I think it's better to enable it... I realize node.js has not the best reputation when it comes to security anyway but we should not make it worse. If a decision is made to keep this patch I hope we can at least build it with pinned dependencies. I have attached a patch that would pin the commitid in yarn.lock and with that, I can build 1.73.1 with --frozen-lockfile enabled again. If the commit id does not match the build is aborted. [ripgrep-yarn.patch.txt](https://github.com/void-linux/void-packages/files/10184378/ripgrep-yarn.patch.txt) Of course, keeping that yarn patch applying between version updates could be a bit annoying but I think that's not a reason to not do it. @atk @shizonic