You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Manage this Node.js package with version 3.6.0 of Yarn
[Version 16.20.0 of Node.js][Node.js changelog 16.20.0], released on
2023-03-29, ships with version 0.17.0 of [Corepack][Node.js 16
Corepack]; see the corresponding [pull request][GitHub repository
nodejs/node PR 46842].
3.6.0 is the latest version of Yarn at this time.
As stated in the [README][Node.js Corepack 0.17.0 README], a checksum
should be specified:
> The hash is optional but strongly recommended as a security practice.
Version 0.17.0 of [Corepack][Node.js 16 Corepack] uses the function
`createHash` of the [Node.js module `node:crypto`][Node.js 16
node:crypto]; see
https://github.com/nodejs/corepack/blob/v0.17.0/sources/corepackUtils.ts#L138-L140.
The hash/hashing algorithms that function supports "[…] is dependent on
the available algorithms supported by the version of OpenSSL on the
platform". I chose [SHA-512][SHA-2] because it strikes the best balance
between safety/security and availability, as far as I know.
[GitHub repository nodejs/corepack issue 231][]
```Shell
curl -- https://repo.yarnpkg.com/3.6.0/packages/yarnpkg-cli/bin/yarn.js | sha512sum
```
```
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2175k 0 2175k 0 0 3902k 0 --:--:-- --:--:-- --:--:-- 3899k
418e45c2268c4d6b69a28f3939084b5853d5f392c43c0b5588bd1995a96e328414ae4b7777a8980c64bad4328c52586ff879b289f98ae65372a55fa4d0ff70dd -
```
after setting `packageManager` in `package.json` with that checksum:
```Shell
corepack yarn --version
```
```
3.6.0
```
There's no difference between calling `corepack yarn` and calling the
`yarn` shim installed by `corepack enable`; both are the same:
```JavaScript
require('./corepack').runMain(['yarn', ...process.argv.slice(2)]);
```
the .js file is not committed and `yarnPath` is not set:
yarnpkg/berry#4063 (comment)
> Updating the binary in the repo, is temporary, until Corepack gets
> available in all LTS releases. I think for Yarn 4 we'll consider only
> updating the package.json.
indeed,
https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md#major-changes
> `yarn set version` will now skip generating the `yarnPath`
> configuration on new projects if it detects you're using
> [Corepack][Node.js Corepack]
[GitHub repository nodejs/corepack issue 231]: nodejs/corepack#231
[GitHub repository nodejs/node PR 46842]: nodejs/node#46842
[GitHub repository yarnpkg/berry issue 4063]: yarnpkg/berry#4063
[Node.js changelog 16.20.0]: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.20.0
[Node.js Corepack]: https://nodejs.org/api/corepack.html
[Node.js Corepack 0.17.0 README]: https://github.com/nodejs/corepack/blob/v0.17.0/README.md
[Node.js 16 Corepack]: https://nodejs.org/docs/latest-v16.x/api/corepack.html
[Node.js 16 node:crypto]: https://nodejs.org/docs/latest-v16.x/api/crypto.html
[SHA-2]: https://en.wikipedia.org/wiki/SHA-2
0 commit comments