Product
Socket Now Supports uv.lock Files
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
@yarnpkg/plugin-github
Advanced tools
@yarnpkg/plugin-github
This plugin improves the performances when cloning packages from Git by making use of the hosted GitHub API.
This plugin is included by default in Yarn.
3.0.0
yup
anymore (we migrated to Typanion as part of Clipanion v3).
workspace-tools
, remove it from your .yarnrc.yml
, upgrade, then import it back.enableImmutableInstalls
will now default to true
on CI (we still recommend to explicitly use --immutable
on the CLI).
YARN_ENABLE_IMMUTABLE_INSTALLS=false
in your environment variables.initVersion
and initLicense
configuration options have been removed. initFields
should be used instead..pnp.cjs
files (instead of .pnp.js
) when using PnP, regardless of what the type
field inside the manifest is set to.$$virtual
into __virtual__
.-a
alias flag of yarn workspaces foreach
got removed; use -A,--all
instead, which is strictly the same..vscode/pnpify
) won't be cleaned up anymore.--skip-builds
flag from yarn install
got renamed into --mode=skip-build
.bstatePath
configuration option has been removed. The build state (.yarn/build-state.yml
) has been moved into the install state (.yarn/install-state.gz
)@yarnpkg/pnpify
has been refactored into 3 packages:
@yarnpkg/sdks
now contains the Editor SDKs@yarnpkg/pnpify
now contains the PnPify CLI compatibility tool that creates in-memory node_modules
@yarnpkg/nm
now contains the node_modules
tree builder and hoister@yarnpkg/plugin-node-modules
has been renamed to @yarnpkg/plugin-nm
--clipanion=definitions
commands supported by our CLIs will now expose the definitions on the entry point (rather than on .command
)structUtils.requirableIdent
got removed; use structUtils.stringifyIdent
instead, which is strictly the same.configuration.format
got removed; use formatUtils.pretty
instead, which is strictly the same, but type-safe.httpUtils.Options['json']
got removed; use httpUtils.Options['jsonResponse']
instead, which is strictly the same.PackageExtension['description']
got removed, use formatUtils.json(packageExtension, formatUtils.Type.PACKAGE_EXTENSION)
instead, which is strictly the same.Project.generateBuildStateFile
has been removed, the build state is now in Project.storedBuildState
.Project.tryWorkspaceByDescriptor
and Project.getWorkspaceByDescriptor
now match on virtual descriptors.Workspaces now get self-references even when under the node-modules
linker (just like how it already worked with the pnp
linker). This means that a workspace called foo
can now safely assume that calls to require('foo/package.json')
will always work, removing the need for absolute aliases in the majority of cases.
The node-modules linker now does its best to support the portal:
protocol. This support comes with two important limitations:
--preserve-symlinks
Node option if they wish to access their dependencies.portal:
must be hoisted outside of the portal. Failing that (for example if the portal package depends on something incompatible with the version hoisted via another package), the linker will produce an error and abandon the install.The node-modules linker can now utilize hardlinks. The new setting nmMode: classic | hardlinks-local | hardlinks-global
specifies which node_modules
strategy should be used:
classic
- standard node_modules
layout, without hardlinkshardlinks-local
- standard node_modules
layout with hardlinks inside the project onlyhardlinks-global
- standard node_modules
layout with hardlinks pointing to global content storage across all the projects using this optionnode-modules
linker will now ensure that the generated install layouts are terminal, by doing several rounds when needed.node-modules
linker will no longer print warnings about postinstall scripts when a workspace depends on another workspace listing install scripts.${ENV_VAR}
syntax.preinstall
, install
, postinstall
fail, the remaining scripts will be skipped.git:
protocol will now default to fetching HEAD
(rather than the hardcoded master
).SIGTERM
signal will now be propagated to child processes.yarn config unset
will now correctly unset non-nested propertiesinitFields
edge cases have been fixed.preferAggregateCacheInfo
flag will now also aggregate cleanup reports.enableMessageNames
flag can be set to false
to exclude the YNxxxx
from the output.yarn init
can now be run even from within existing projects (will create missing files).yarn init
and yarn set version
will set the packageManager
field.yarn set version
now downloads binaries from the official Yarn website (rather than GitHub).yarn set version from sources
will now upgrade the builtin plugins as well unless --skip-plugins
is set.yarn version apply
now supports a new --prerelease
flag which replaces how prereleases were previously handled.yarn run
should be significantly faster to boot on large projects.yarn workspaces foreach --verbose
will now print when processes start and end, even if they don't have an output.yarn workspaces foreach
now supports a --from <glob>
flag, which when combined with -R
will target workspaces reachable from the 'from' glob.yarn patch-commit
can now be used as many times as you want on the same patch folder.yarn patch-commit
now supports a new -s,--save
flag which will save the patch instead of just printing it.yarn up
now supports a new -R,--recursive
flag which will upgrade the specified package, regardless where it is.yarn config unset
is a new command that will remove a setting from the local configuration (or home if -H
is set).yarn exec
got support for running shell scripts using Yarn's portable shell.yarn plugin import
can now install specific versions of the official plugins.yarn plugin import
will now download plugins compatible with the current CLI by default.yarn unlink
has been added which removes resolutions previously set by yarn link
.yarn install
inside a Yarn v1 project will now automatically enable the node-modules
linker. This should solve most of the problems people have had in their migrations. We still recommend to keep the default PnP for new projects, but the choice is yours.bigint
, and fstat
.@yarnpkg/esbuild-plugin-pnp
. We use it to bundle Yarn itself!exports
field - regardless of the Node version.node:
protocol (new in Node 16)plugins
configuration property.FAQs
Unknown package
The npm package @yarnpkg/plugin-github receives a total of 7,377 weekly downloads. As such, @yarnpkg/plugin-github popularity was classified as popular.
We found that @yarnpkg/plugin-github demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.
Security News
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.