Gathering detailed insights and metrics for yarn
Gathering detailed insights and metrics for yarn
The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
Installations
npm install yarnDeveloper Guide
BETA
Typescript
No
Module System
N/A
Min. Node Version
>=4.0.0
Node Version
18.17.1
NPM Version
9.6.7
Score
91.7
Supply Chain
87.6
Quality
81.5
Maintenance
100
Vulnerability
100
License
Releases
153
Languages
5
JavaScript
Shell
PowerShell
Groovy
Batchfile
JavaScript (98.68%)
Shell (1.02%)
PowerShell (0.16%)
Groovy (0.12%)
Batchfile (0.01%)
Developer
Download Statistics
Total Downloads
964,774,805
Last Day
1,162,222
Last Week
6,134,811
Last Month
26,139,102
Last Year
279,460,890
GitHub Statistics
NOASSERTION License
41,511 Stars
2,357 Commits
2,733 Forks
552 Watchers
141 Branches
529 Contributors
Updated on Mar 26, 2025
Maintainers
6
Package Meta Information
Latest Version
1.22.22
Package Id
yarn@1.22.22
Unpacked Size
5.09 MB
Size
1.18 MB
File Count
11
NPM Version
9.6.7
Node Version
18.17.1
Published on
Mar 09, 2024
Total Downloads
Cumulative downloads
Total Downloads
964,774,805
Last Day
0.9%
1,162,222
Compared to previous day
Last Week
2.9%
6,134,811
Compared to previous week
Last Month
12.6%
26,139,102
Compared to previous month
Last Year
31.7%
279,460,890
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
Fast, reliable, and secure dependency management.
Fast: Yarn caches every package it has downloaded, so it never needs to download the same package again. It also does almost everything concurrently to maximize resource utilization. This means even faster installs.
Reliable: Using a detailed but concise lockfile format and a deterministic algorithm for install operations, Yarn is able to guarantee that any installation that works on one system will work exactly the same on another system.
Secure: Yarn uses checksums to verify the integrity of every installed package before its code is executed.
Features
- Offline Mode. If you've installed a package before, then you can install it again without an internet connection.
- Deterministic. The same dependencies will be installed in the same exact way on any machine, regardless of installation order.
- Network Performance. Yarn efficiently queues requests and avoids request waterfalls in order to maximize network utilization.
- Network Resilience. A single request that fails will not cause the entire installation to fail. Requests are automatically retried upon failure.
- Flat Mode. Yarn resolves mismatched versions of dependencies to a single version to avoid creating duplicates.
- More emojis. 🐈
Installing Yarn
Read the Installation Guide on our website for detailed instructions on how to install Yarn.
Using Yarn
Read the Usage Guide on our website for detailed instructions on how to use Yarn.
Contributing to Yarn
Contributions are always welcome, no matter how large or small. Substantial feature requests should be proposed as an RFC. Before contributing, please read the code of conduct.
See Contributing.
Prior art
Yarn wouldn't exist if it wasn't for excellent prior art. Yarn has been inspired by the following projects:
Credits
Thanks to Sam Holmes for donating the npm package name!
High
7.8/10
Summary
Yarn untrusted search path vulnerability
Affected Versions
< 1.22.13
Patched Versions
1.22.13
High
7.8/10
Summary
Yarn Improper link resolution before file access (Link Following)
Affected Versions
<= 1.21.1
Patched Versions
1.22.0
High
7.5/10
Summary
Path Traversal in Yarn
Affected Versions
<= 1.21.1
Patched Versions
1.22.0
High
8.1/10
Summary
Missing Encryption of Sensitive Data in yarn
Affected Versions
< 1.17.3
Patched Versions
1.17.3
Moderate
5.9/10
Summary
TOCTOU Race Condition in Yarn
Affected Versions
< 1.19.0
Patched Versions
1.19.0
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
3 out of the last 5 releases have a total of 3 signed artifacts.
Details
- Info: signed release artifact: yarn-1.22.22-1.noarch.rpm.asc: https://github.com/yarnpkg/yarn/releases/tag/v1.22.22
- Warn: release artifact v1.22.21 not signed: https://api.github.com/repos/yarnpkg/yarn/releases/129420972
- Warn: release artifact v1.22.20 not signed: https://api.github.com/repos/yarnpkg/yarn/releases/129317157
- Info: signed release artifact: yarn-1.22.19.js.asc: https://github.com/yarnpkg/yarn/releases/tag/v1.22.19
- Info: signed release artifact: yarn-1.22.18.js.asc: https://github.com/yarnpkg/yarn/releases/tag/v1.22.18
- Warn: release artifact v1.22.22 does not have provenance: https://api.github.com/repos/yarnpkg/yarn/releases/145660714
- Warn: release artifact v1.22.21 does not have provenance: https://api.github.com/repos/yarnpkg/yarn/releases/129420972
- Warn: release artifact v1.22.20 does not have provenance: https://api.github.com/repos/yarnpkg/yarn/releases/129317157
- Warn: release artifact v1.22.19 does not have provenance: https://api.github.com/repos/yarnpkg/yarn/releases/66514022
- Warn: release artifact v1.22.18 does not have provenance: https://api.github.com/repos/yarnpkg/yarn/releases/61935478
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/signing.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/yarn/signing.yml/master?enable=pin
- Warn: containerImage not pinned by hash: Dockerfile.dev:4: pin your Docker image by updating node:10 to node:10@sha256:59531d2835edd5161c8f9512f9e095b1836f7a1fcb0ab73e005ec46047384911
- Warn: downloadThenRun not pinned by hash: scripts/install-latest.sh:8
- Info: 0 out of 1 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 containerImage dependencies pinned
- Info: 0 out of 1 downloadThenRun dependencies pinned
Reason
Found 3/30 approved changesets -- score normalized to 1
Reason
0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/signing.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 5 are checked with a SAST tool
Reason
175 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-pp7h-53gx-mx7r
- Warn: Project is vulnerable to: GHSA-832h-xg76-4gv6
- Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
- Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-p28h-cc7q-c4fg
- Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-qgfr-5hqp-vrw9
- Warn: Project is vulnerable to: GHSA-hr2v-3952-633q
- Warn: Project is vulnerable to: GHSA-h6ch-v84p-w6p9
- Warn: Project is vulnerable to: GHSA-3w5v-p54c-f74x
- Warn: Project is vulnerable to: GHSA-6x77-rpqf-j6mw
- Warn: Project is vulnerable to: GHSA-hwcf-pp87-7x6p
- Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-qrmc-fj45-qfc2
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
- Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
- Warn: Project is vulnerable to: GHSA-p9w8-2mpq-49h9
- Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
- Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
- Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
- Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-wrvr-8mpx-r7pp
- Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-w9mr-4mfr-499f
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-6g33-f262-xjp4
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6
- Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-xc7v-wxcw-j472
- Warn: Project is vulnerable to: GHSA-v2p6-4mp7-3r9v
- Warn: Project is vulnerable to: GHSA-jp4x-w63m-7wgm
- Warn: Project is vulnerable to: GHSA-c429-5p7v-vgjp
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-whgm-jr23-g3j9
- Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-wxhq-pm8v-cw75
- Warn: Project is vulnerable to: GHSA-257v-vj4p-3w2h
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-6h5x-7c5m-7cr7
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-mpcf-4gmh-23w8
- Warn: Project is vulnerable to: GHSA-9qj9-36jm-prpv
- Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3
- Warn: Project is vulnerable to: MAL-2023-462
- Warn: Project is vulnerable to: GHSA-xf7w-r453-m56c
- Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
- Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
- Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
- Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
- Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
- Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
- Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
- Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
- Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
- Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
- Warn: Project is vulnerable to: GHSA-44pw-h2cw-w3vq
- Warn: Project is vulnerable to: GHSA-pfq8-rq6v-vf5m
- Warn: Project is vulnerable to: GHSA-6x33-pw7p-hmpq
- Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
- Warn: Project is vulnerable to: GHSA-4hpf-3wq7-5rpr
- Warn: Project is vulnerable to: GHSA-f522-ffg8-j8r6
- Warn: Project is vulnerable to: GHSA-7r28-3m3f-r2pr
- Warn: Project is vulnerable to: GHSA-r8j5-h5cx-65gg
- Warn: Project is vulnerable to: GHSA-2pr6-76vf-7546
- Warn: Project is vulnerable to: GHSA-8j8c-7jfh-h6hx
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-pp57-mqmh-44h7
- Warn: Project is vulnerable to: GHSA-7px7-7xjx-hxm8
- Warn: Project is vulnerable to: GHSA-x5pg-88wf-qq4p
- Warn: Project is vulnerable to: GHSA-5v2h-r2cx-5xgj
- Warn: Project is vulnerable to: GHSA-rrrm-qjm4-v8hf
- Warn: Project is vulnerable to: GHSA-f9cm-qmx5-m98h
- Warn: Project is vulnerable to: GHSA-7wpw-2hjm-89gp
- Warn: Project is vulnerable to: GHSA-ff6r-5jwm-8292
- Warn: Project is vulnerable to: GHSA-5fw9-fq32-wv5p
- Warn: Project is vulnerable to: GHSA-6394-6h9h-cfjg
- Warn: Project is vulnerable to: GHSA-28xh-wpgr-7fm8
- Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-hxcm-v35h-mg2x
- Warn: Project is vulnerable to: GHSA-5q6m-3h65-w53x
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-c9g6-9335-x697
- Warn: Project is vulnerable to: GHSA-2m39-62fm-q8r3
- Warn: Project is vulnerable to: GHSA-mf6x-7mm4-x2g7
- Warn: Project is vulnerable to: GHSA-j44m-qm6p-hp7m
- Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
- Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-jgrx-mgxx-jf9v
- Warn: Project is vulnerable to: GHSA-g7q5-pjjr-gqvp
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-pv4c-p2j5-38j4
- Warn: Project is vulnerable to: GHSA-46c4-8wrp-j99v
- Warn: Project is vulnerable to: GHSA-9m6j-fcg5-2442
- Warn: Project is vulnerable to: GHSA-hh27-ffr2-f2jc
- Warn: Project is vulnerable to: GHSA-rqff-837h-mm52
- Warn: Project is vulnerable to: GHSA-8v38-pw62-9cw2
- Warn: Project is vulnerable to: GHSA-hgjh-723h-mx2j
- Warn: Project is vulnerable to: GHSA-jf5r-8hm2-f872
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-cf66-xwfp-gvc4
- Warn: Project is vulnerable to: GHSA-g78m-2chm-r7qv
- Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
- Warn: Project is vulnerable to: GHSA-gqgv-6jq5-jjj9
- Warn: Project is vulnerable to: MAL-2022-2424
- Warn: Project is vulnerable to: GHSA-cwx2-736x-mf6w
- Warn: Project is vulnerable to: GHSA-v39p-96qg-c8rf
- Warn: Project is vulnerable to: GHSA-8v63-cqqc-6r2c
- Warn: Project is vulnerable to: GHSA-wqfc-cr59-h64p
- Warn: Project is vulnerable to: GHSA-hjxc-462x-x77j
- Warn: Project is vulnerable to: GHSA-5xf4-f2fq-f69j
- Warn: Project is vulnerable to: GHSA-8mfc-v7wv-p62g
- Warn: Project is vulnerable to: GHSA-mpwj-fcr6-x34c
- Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
- Warn: Project is vulnerable to: GHSA-vh7m-p724-62c2
- Warn: Project is vulnerable to: GHSA-r9p9-mrjm-926w
- Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
- Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
- Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
- Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: MAL-2022-2642
- Warn: Project is vulnerable to: GHSA-c75v-2vq8-878f
- Warn: Project is vulnerable to: GHSA-c6rq-rjc2-86v2
- Warn: Project is vulnerable to: GHSA-x2mc-8fgj-3wmr
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-rq8g-5pc5-wrhr
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp
- Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
- Warn: Project is vulnerable to: GHSA-fhjf-83wg-r2j9
- Warn: Project is vulnerable to: GHSA-4g88-fppr-53pp
- Warn: Project is vulnerable to: GHSA-4jqc-8m5r-9rpr
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-6chw-6frg-f759
- Warn: Project is vulnerable to: GHSA-897m-rjf5-jp39
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
- Warn: Project is vulnerable to: GHSA-vx3p-948g-6vhq
- Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
- Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
- Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
- Warn: Project is vulnerable to: GHSA-29xr-v42j-r956
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-6fc8-4gx4-v693
Score
3.6
/10
Last Scanned on 2025-03-17
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More