Gathering detailed insights and metrics for yarn
Gathering detailed insights and metrics for yarn
Gathering detailed insights and metrics for yarn
Gathering detailed insights and metrics for yarn
The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
npm install yarn
Typescript
Module System
Min. Node Version
Node Version
NPM Version
90.4
Supply Chain
87.6
Quality
82.3
Maintenance
100
Vulnerability
100
License
Updated on 04 Dec 2024
JavaScript (98.68%)
Shell (1.02%)
PowerShell (0.16%)
Groovy (0.12%)
Batchfile (0.01%)
Cumulative downloads
Total Downloads
Last day
10.4%
Compared to previous day
Last week
-7.7%
Compared to previous week
Last month
2.7%
Compared to previous month
Last year
35.5%
Compared to previous year
No dependencies detected.
ℹ️ Important note
This repository holds the sources for Yarn 1.x (latest version at the time of this writing being 1.22). New releases (at this time the 3.2.3, although we're currently working on our next major) are tracked on the yarnpkg/berry repository, this one here being mostly kept for historical purposes and the occasional hotfix we publish to make the migration from 1.x to later releases easier.
If you hit bugs or issues with Yarn 1.x, we strongly suggest you migrate to the latest release - at this point they have been maintained longer than 1.x, and many classes of problems have already been addressed there. By using the
nodeLinker
setting you'll also have the choice of how you want to install your packages: node_modules like npm, symlinks like pnpm, or manifest files via Yarn PnP.
Fast, reliable, and secure dependency management.
Fast: Yarn caches every package it has downloaded, so it never needs to download the same package again. It also does almost everything concurrently to maximize resource utilization. This means even faster installs.
Reliable: Using a detailed but concise lockfile format and a deterministic algorithm for install operations, Yarn is able to guarantee that any installation that works on one system will work exactly the same on another system.
Secure: Yarn uses checksums to verify the integrity of every installed package before its code is executed.
All your environment variables, in one place. Stop struggling with scattered API keys, hacking together home-brewed tools, and avoiding access controls. Keep your team and servers in sync with Doppler. | |
Your app, enterprise-ready. Start selling to enterprise customers with just a few lines of code. Add Single Sign-On (and more) in minutes instead of months with WorkOS. |
Read the Installation Guide on our website for detailed instructions on how to install Yarn.
Read the Usage Guide on our website for detailed instructions on how to use Yarn.
The 1.x codebase is fairly old and will only accept security fixes. For new features or bugfixes, please see our new repository and its contribution guide.
Yarn wouldn't exist if it wasn't for excellent prior art. Yarn has been inspired by the following projects:
Thanks to Sam Holmes for donating the npm package name!
Stable Version
4
7.8/10
Summary
Yarn untrusted search path vulnerability
Affected Versions
< 1.22.13
Patched Versions
1.22.13
7.8/10
Summary
Yarn Improper link resolution before file access (Link Following)
Affected Versions
<= 1.21.1
Patched Versions
1.22.0
7.5/10
Summary
Path Traversal in Yarn
Affected Versions
<= 1.21.1
Patched Versions
1.22.0
8.1/10
Summary
Missing Encryption of Sensitive Data in yarn
Affected Versions
< 1.17.3
Patched Versions
1.17.3
1
5.9/10
Summary
TOCTOU Race Condition in Yarn
Affected Versions
< 1.19.0
Patched Versions
1.19.0
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
security policy file detected
Details
Reason
license file detected
Details
Reason
3 out of the last 5 releases have a total of 3 signed artifacts.
Details
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
Reason
Found 3/30 approved changesets -- score normalized to 1
Reason
0 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 1
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
172 existing vulnerabilities detected
Details
Score
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More