Recent news from prodsec has led to a need for Console team to rapidly migrate away from yarn 1.x in all supported versions (4.12+).

The "least friction" way to do this is to migrate from yarn classic to yarn berry. Yarn v4 now requires node 18, so we have to do this in three steps:

1. Prepare console 4.12 to 4.18 by adding node 18+ support when building
2. Update the openshift/release repo and console build roots to build with node 18+ (i.e., 4.12 to main should use quay.io/coreos/tectonic-console-builder:v29)
3. Update yarn

We are also motivated to move away from yarn for security reasons as well. Recent supply chain attacks (e.g., Sha1-Hulud, ua-parser-js, node-ipc incidents) have exploited malicious preinstall/postinstall scripts in npm packages to execute arbitrary code during yarn install or npm install. These scripts run automatically with the same privileges as the installing user, making them a prime vector for hacks.

The Console frontend currently uses Yarn 1.x (Classic) which has limited options for disabling lifecycle scripts via a config file. This means every yarn install in local development and CI runs all package lifecycle scripts by default, exposing us to supply chain attacks.

AC:

1. Console repo and console-plugin-template updates yarn from v1 to v4 in all supported releases of OpenShift