Skip to content

Bump yarn from 4.10.1 to 4.14.1#230

Merged
jeffsmale90 merged 1 commit into
mainfrom
upgrade/yarn
May 12, 2026
Merged

Bump yarn from 4.10.1 to 4.14.1#230
jeffsmale90 merged 1 commit into
mainfrom
upgrade/yarn

Conversation

@jeffsmale90

@jeffsmale90 jeffsmale90 commented May 11, 2026

Copy link
Copy Markdown
Collaborator

📝 Description

Upgrades yarn from 4.10.1 to 4.14.1 to take advantage of approvedGitRepositories.

🔄 What Changed?

  • Upgrades yarn from 4.10.1 to 4.14.1
  • Updates the expected package manager version in constraints
  • Adds approvedGitRepositories to .yarnrc.yml with empty array

🚀 Why?

By enforcing no-git-dependencies, we close a security vulnerability where transient depenencies can be added to a package, resulting in unverified code being downloaded.

Any dependencies that are required via git may be added by including the glob in approvedGitRepositories in .yarnrc.yml.

🧪 How to Test?

❯ yarn add typanion@git@github.com/arcanis/typanion.git
➤ YN0000: · Yarn 4.14.1
➤ YN0000: ┌ Resolution step
➤ YN0080: │ typanion@git@github.com/arcanis/typanion.git: Request to 'ssh://git@github.com/arcanis/typanion.git' has been blocked because it doesn't match any of the patterns in 'approvedGitRepositories'
➤ YN0000: └ Completed
➤ YN0000: · Failed with errors in 0s 40ms

⚠️ Breaking Changes

List any breaking changes:

  • No breaking changes
  • Breaking changes (describe below):

📋 Checklist

Check off completed items:

  • Code follows the project's coding standards
  • Self-review completed
  • Documentation updated (if needed)
  • Tests added/updated
  • Changelog updated (if needed)
  • All CI checks pass

🔗 Related Issues

Link to related issues:
Closes #
Related to #

📚 Additional Notes

Any additional information, concerns, or context:


Note

Low Risk
Low risk config-only change that updates the Yarn toolchain and lockfile metadata; primary risk is CI/dev environment mismatch if Yarn 4.14.1 isn’t used consistently.

Overview
Upgrades the repo’s Yarn version requirement from 4.10.1 to 4.14.1 (including updating Yarn constraints and regenerating yarn.lock metadata).

Adds approvedGitRepositories: [] to .yarnrc.yml to block git-based dependencies by default unless explicitly allowlisted.

Reviewed by Cursor Bugbot for commit 455c637. Bugbot is set up for automated code reviews on this repo. Configure here.

@jeffsmale90 jeffsmale90 merged commit 986b147 into main May 12, 2026
19 checks passed
@jeffsmale90 jeffsmale90 deleted the upgrade/yarn branch May 12, 2026 01:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants