Blog

Recommended security update

Posted Jul 12, 2019 by Maël Nison

We’ve been made aware of a potential attack vector in the way some data are stored in the lockfile. We recommend to upgrade Yarn to the latest 1.17.3 release as soon as you get the chance. We also recommend you to edit your lockfiles to replace any reference to the http: protocol:

Yarn import now uses package-lock.json

Posted Jun 4, 2018 by Aram Drevekenin

For a while now, the JavaScript ecosystem is a host to a few different dependency lock file formats, including yarn’s yarn.lock and npm’s package-lock.json.

Ease the Transition to a Monorepo with Focused Workspaces

Posted May 18, 2018 by Bryan Wain

Previously, we wrote about monorepos and how Yarn Workspaces makes working with them simpler. Unfortunately, moving to a monorepo is not always an easy choice. Without the right tooling, a monorepo can often harm the developer experience instead of help it.

Dependencies Done Right

Posted Apr 18, 2018 by Maël Nison

Let’s say we want to write a React plugin. Since we’ll need to require the react package, we add it to our dependencies like this:

nohoist in Workspaces

Posted Feb 15, 2018 by V. Sun

As wonderful as yarn workspaces are, the rest of the community hasn’t yet fully caught up with the monorepo hoisting scheme. The introducing of the nohoist is the attempt to provide an easy-to-use mechanism, natively supported by yarn, for enabling workspaces to work with otherwise incompatible libraries.

Yarn 1.0 is Here

Posted Sep 7, 2017 by Burak Yigit Kaya

After a long wait, Yarn 1.0 is out!

Workspaces in Yarn

Posted Aug 2, 2017 by Konstantin Raev

Projects tend to grow over time, and, occasionally, some pieces of a project can be useful elsewhere in other projects. For example, Jest, being a generic testing tool, gave birth to many packages, one of them is jest-snapshot that is now used in other projects like snapguidist and chai-jest-snapshot.

Let's Dev: A Package Manager

Posted Jul 11, 2017 by Maël Nison

Hello everyone! Today, we’re gonna write a new package manager, even better than Yarn! Ok, maybe not, but at least we’re gonna have some fun, learn how package managers work, and think about what could come next on Yarn.

Adding Command Line Aliases for Yarn

Posted Jun 19, 2017 by G. Kay Lee

One of the core design philosophies of Yarn is to strive for simpleness; a lean CLI without redundant features. That’s why Yarn has resisted adding random built-in shorthands like npm r or an aliases system like the one you can find in Git. We believe that the benefits they could possibly bring to the Yarn experience are not justified by the cost required to build and maintain such a full-fledged subsystem.

Private Registry Support

Posted Jun 16, 2017 by Lukas Spieß

Today, Yarn already supports a wide variety of different package feeds when fetching and downloading your dependencies. Up until now, there was however a small subset of public and private package feed providers that Yarn could not yet handle very well. One example of these package feed providers that were not yet supported was Visual Studio Team Services (VSTS).

Yarn determinism

Posted May 31, 2017 by Sebastian McKenzie

One of the claims that Yarn makes is that it makes your package management “deterministic”. But what exactly does this mean? This blog post highlights how both Yarn and npm 5 are deterministic, but differ in the exact guarantees they provide and the tradeoffs they have chosen.

Yarn Create & Yarn 1.0

Posted May 12, 2017 by Maël Nison

Last year was a great time for Javascript newcomers! A lot of starter-kit projects were published, refined, and some of them eventually went on to offer command line tools dedicated to make project creation easier. One such example is create-react-app, but most frameworks have their own tools, with various flavors and syntaxes.

Cloudflare security incident and impact on Yarn users

Posted Feb 24, 2017 by Sebastian McKenzie

Yarn uses its own proxy to the npm registry in order to allow us to experiment with the way the Yarn client works and allow optimizations in the future around how packages are resolved. This registry is used by all Yarn users by default.

Lockfiles should be committed on all projects

Posted Nov 24, 2016 by James Kyle

Yarn is a new package manager that we built to be consistent and reliable. When installing hundreds or even thousands of third-party packages from the internet you want to be sure that you’re executing the same code across every system.

Running Yarn offline

Posted Nov 24, 2016 by Konstantin Raev

Repeatable and reliable builds for large JavaScript projects are vital. If your builds depend on dependencies being downloaded from network, this build system is neither repeatable nor reliable.

Yarn: A new package manager for JavaScript

Posted Oct 11, 2016 by Sebastian McKenzie, Christoph Pojer, James Kyle

We’re pleased to announce the open source release of Yarn, a collaboration between Facebook, Exponent, Google, and Tilde. With Yarn, engineers still have access to the npm registry, but can install packages more quickly and manage dependencies consistently across machines or in secure offline environments. Yarn enables engineers to move faster and with confidence when using shared code so they can focus on what matters — building new products and features. Read the full announcement on code.facebook.com.