If supply-chain security is a concern yarn is the worst js package manager you can pick. It comes far down their priority list, below "just make things work without need for user input". Whatever you thought you configured will simply be ignored many times and that's considered a feature.
Go look in that projects issue tracker and commit log for changes to relevant configuration and you will know what I mean.
In case others are unaware, you just have to set https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate to the value you want. It defaults to 1 day.
If supply-chain security is a concern yarn is the worst js package manager you can pick. It comes far down their priority list, below "just make things work without need for user input". Whatever you thought you configured will simply be ignored many times and that's considered a feature.
Go look in that projects issue tracker and commit log for changes to relevant configuration and you will know what I mean.
Even yarn 1.22 is a safer choice.