Skip to content

Commit

Permalink
Manage this Node.js package with version 3.6.0 of Yarn
Browse files Browse the repository at this point in the history 
[Version 16.20.0 of Node.js][Node.js changelog 16.20.0], released on
2023-03-29, ships with version 0.17.0 of [Corepack][Node.js 16
Corepack]; see the corresponding [pull request][GitHub repository
nodejs/node PR 46842].

3.6.0 is the latest version of Yarn at this time.

As stated in the [README][Node.js Corepack 0.17.0 README], a checksum
should be specified:

> The hash is optional but strongly recommended as a security practice.

Version 0.17.0 of [Corepack][Node.js 16 Corepack] uses the function
`createHash` of the [Node.js module `node:crypto`][Node.js 16
node:crypto]; see
https://github.com/nodejs/corepack/blob/v0.17.0/sources/corepackUtils.ts#L138-L140.
The hash/hashing algorithms that function supports "[…] is dependent on
the available algorithms supported by the version of OpenSSL on the
platform". I chose [SHA-512][SHA-2] because it strikes the best balance
between safety/security and availability, as far as I know.

[GitHub repository nodejs/corepack issue 231][]

```Shell
curl -- https://repo.yarnpkg.com/3.6.0/packages/yarnpkg-cli/bin/yarn.js | sha512sum
```
```
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2175k    0 2175k    0     0  3902k      0 --:--:-- --:--:-- --:--:-- 3899k
418e45c2268c4d6b69a28f3939084b5853d5f392c43c0b5588bd1995a96e328414ae4b7777a8980c64bad4328c52586ff879b289f98ae65372a55fa4d0ff70dd  -
```

after setting `packageManager` in `package.json` with that checksum:

```Shell
corepack yarn --version
```
```
3.6.0
```

There's no difference between calling `corepack yarn` and calling the
`yarn` shim installed by `corepack enable`; both are the same:

```JavaScript
require('./corepack').runMain(['yarn', ...process.argv.slice(2)]);
```

the .js file is not committed and `yarnPath` is not set:

yarnpkg/berry#4063 (comment)

> Updating the binary in the repo, is temporary, until Corepack gets
> available in all LTS releases. I think for Yarn 4 we'll consider only
> updating the package.json.

indeed,
https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md#major-changes

> `yarn set version` will now skip generating the `yarnPath`
> configuration on new projects if it detects you're using
> [Corepack][Node.js Corepack]

[GitHub repository nodejs/corepack issue 231]: nodejs/corepack#231
[GitHub repository nodejs/node PR 46842]: nodejs/node#46842
[GitHub repository yarnpkg/berry issue 4063]: yarnpkg/berry#4063
[Node.js changelog 16.20.0]: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.20.0
[Node.js Corepack]: https://nodejs.org/api/corepack.html
[Node.js Corepack 0.17.0 README]: https://github.com/nodejs/corepack/blob/v0.17.0/README.md
[Node.js 16 Corepack]: https://nodejs.org/docs/latest-v16.x/api/corepack.html
[Node.js 16 node:crypto]: https://nodejs.org/docs/latest-v16.x/api/crypto.html
[SHA-2]: https://en.wikipedia.org/wiki/SHA-2
  • Loading branch information
@kalrish
kalrish committed Jun 28, 2023
1 parent 6eaa5b0 commit fa1bb4b
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@
"version": "0.0.0",
"files": [
],
"packageManager": "yarn@3.6.0+sha512.418e45c2268c4d6b69a28f3939084b5853d5f392c43c0b5588bd1995a96e328414ae4b7777a8980c64bad4328c52586ff879b289f98ae65372a55fa4d0ff70dd",
"type": "module"
}

0 comments on commit fa1bb4b

Please sign in to comment.