Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@yarnpkg/eslint-config
Advanced tools
2.1.0
yarn set version 2.1.0
"preferUnplugged": true
field in the manifest. This will hurt the experience of your users (your project will be the only one that will require hard installs), so please refrain using this field unless there's no other choice.yarn search
will open a rich interface to search for packages to install (requires the interactive-tools
plugin).yarn npm logout
will remove your credentials from your home directory.yarn plugin import from sources
will allow you to build plugins from the master branch of the our repository.yarn workspaces focus
will only install the current workspace, plus any other workspace it might depend on. The --production
flag will only install their production dependencies.yarn exec
will execute the specified command at the root of the current workspace (reintroduced from the Classic branch).yarn create
is now an alias to yarn dlx
(with the create-
prefix.)yarn init
will now generate an EditorConfig file, and run git init
on the resulting folder.yarn init
now supports a -i
flag which will automatically pin the Yarn version in the project.yarn init
will now inject the settings from the initFields
configuration setting when generating the initial manifest (future release will remove the now deprecated initVersion
and initLicense
settings).yarn init
will now initialize a workspace project if given the -w
flag.yarn workspaces foreach
now support glob patterns in --include
and --exclude
.yarn set version
now as an alias called yarn policies set-version
(will be deprecated in 3.x).yarn run
now supports the --inspect
and --inspect-brk
switches for binaries (for example yarn run --inspect-brk jest
).yarn remove
and yarn up
now support glob patterns.yarn dlx
now respects the local project configuration (particularly the configured registries). This is still experimental and will be further improved in the next months.yarn dlx
now properly exits with an exit code when the underlying command returned an exit code too.yarn config get
(and set
) can now access nested configuration values (for example, yarn config get npmScopes.foo.npmRegistryServer
will tell you which server is configured for the given server, if any).yarn config get
will now hide its secrets (or rather yours) from the rest of the world. A new --no-redacted
option will toggle off this behavior if needed.yarn config set
now has a --json
option that will let Yarn know it should interpret the given value as a JSON object (useful to set server configuration, etc).yarn workspace foreach
will now exit with the expected status code if there's an error.${name}
syntax (strict by default; use ${name:-default}
to provide a default value).changesetIgnorePatterns
setting can be used to ignore some paths from the changeset detection from yarn version check
(changes to those paths won't be taken into account when deciding which workspaces need to fresh releases).changesetBaseRef
setting can be used to change the name of the master branch that yarn version check
will use in its changeset heuristic.httpTimeout
and httpRetry
settings allow you to configure the behavior of the HTTP(s) requests.preferTruncatedLines
setting allow you to tell Yarn that it's ok if info and warning messages are truncated to fit in a single line (errors will always wrap as much as needed, and piping Yarn's output will toggle off this behaviour altogether).compressionLevel
. If you don't use Zero-Installs, using a value of 0
may yield speed improvements at little cost.owner/repo#workspace=name
syntax (which you can mix with branch names as usual).core.autocrlf
so that the builds lead to deterministic results. Generally speaking, improvements have been made to avoid freshly built packages from generating different results.npm pack
if we detect a package-lock.json
).exec:
protocol has a different API. In particular, builtin modules can now be accessed without having to actually require them.**/*
in your workspaces
field will now detect all child packages as workspaces.pnpMode: loose
setting). Under this mode, Yarn will compute the list of packages that would have been hoisted under the node_modules linker, and let the application code access them with only a warning. This mode will however not become the default - warnings cannot be caught by the application code, and as a result the output of the loose mode can be quite verbose, often being more confusing than the strict mode.yarn upgrade-interactive
has been revamped to reintroduce some elements that had been omitted when porting the command from the v1 to the v2.lutimes
support into Node itself, since it was otherwise impossible to implement perfect copy mechanisms (the copied symlinks would end up with different mtime than their originals)..vscode/pnpify
to .yarn/sdks
.echo {foo,bar}
won't work expect if there's actually a file named foo
and/or bar
..cjs
extension has been added to multiple files in order to make it easier to use "type": "module"
.FAQs
Unknown package
We found that @yarnpkg/eslint-config demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.