Update dependency yarn to v1.22.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
yarn	devDependencies	minor	1.15.2 -> 1.22.0

GitHub Vulnerability Alerts

CVE-2019-5448

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

CVE-2019-10773

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

---

Release Notes

yarnpkg/yarn

v1.22.0

Compare Source

• Allows some dots in binary names again

  #​7811 - Valery Bugakov

• Better error handling on yarn set version

  #​7848 - Nick Olinger

• Passes arguments following -- when running a workspace script (yarn workspace pkg run command -- arg)

  #​7776 - Jeff Valore

• Fixes an issue where the archive paths were incorrectly sanitized

  #​7831 - Maël Nison

• Implements yarn init -2

  #​7862 - Maël Nison

• Implements yarn set version <version> as an alias for policies set-version

  #​7862 - Maël Nison

v1.21.1

Compare Source

v1.21.0

Compare Source

v1.19.2

Compare Source

• Folders like .cache won't be pruned from the node_modules after each install.

  #​7699 - Maël Nison

• Correctly installs workspace child dependencies when workspace child not symlinked to root.

  #​7289 - Daniel Tschinder

• Makes running scripts with Plug'n Play possible on node 13.

  #​7650 - Sander Verweij

• Change run command to check cwd/node_modules/.bin for commands. Fixes run in workspaces.

  #​7151 - Jeff Valore

v1.19.1

Compare Source

Important: This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the Offline Mirror feature. After that everything will be back to normal.

• Computes the --modules-folder & friends paths based on the cwd.

  #​7607 - mbpreble

• Stores the sha512 in the cache even when not provided by the server.

  #​7591 - Maël Nison / #​7595 - Michael

• Uses the right Node binary when using yarn-path.

  #​7592 - Maël Nison

v1.19.0

Compare Source

Important: This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the Offline Mirror feature. After that everything will be back to normal.

• Fixes a potential vulnerability regarding how the build artifacts are stored

  Reported by ChALkeR, fixed by Maël Nison

v1.18.0

Compare Source

• Suggests using the Yarn 2 development trunk on PnP-enabled projects

  #​7512 - Maël Nison

• Preserves linked packages when calling yarn create

  #​7543 - Nick McCurdy

• Fixes the offline mirror filenames when using Verdaccio

  #​7499 - xv2

• Fixes using link:. to refer to the package folder

  #​7512 - Maël Nison

• Runs the prepare lifecycle of git dependencies even if NODE_ENV is set to production.

  #​7398 - John Firebaugh

• Fixes the postversion lifecycle method not being called when using --no-git-tag-version.

  #​7154 - Hampus Tågerud

• Ignores potentially large vscode keys in package.json to avoid E2BIG errors.

  #​7419 - Eric Amodio

• Enforces https for the Yarn and npm registries.

  #​7393 - Maël Nison

• Adds support for reading yarnPath from v2-produced .yarnrc.yml files.

  #​7350 - Maël Nison

v1.17.3

Compare Source

v1.17.2

Compare Source

v1.17.1

Compare Source

v1.17.0

Compare Source

• Adds prereleases flags and prerelease identifier to yarn version.

  #​7336 - Daniel Seijo

• Fixes audits when used with yarn add & yarn upgrade

  #​7326 - David Sanders

• Adds support for the --offline flag to yarn global add

  #​7330 - Francis Crick

• Yarn will tolerate Yaml at parse time. Full support isn't ready yet and will only come at the next major.

  #​7300 - Maël Nison

• Fixes a bug when using the link: protocol with a folder that doesn't contain a package.json

  #​7337 - Maël Nison

v1.16.0

Compare Source

• Retries downloading a package on yarn install when we get a ETIMEDOUT error.

  #​7163 - Vincent Bailly

• Implements yarn audit --level [severity] flag to filter the audit command's output.

  #​6716 - Rogério Vicente

• Implements yarn audit --groups group_name [group_name ...].

  #​6724 - Tom Milligan

• Exposes the script environment variables to yarn create spawned processes.

  #​7127 - Eli Perelman

• Prevents EPIPE errors from being printed.

  #​7194 - Abhishek Reddy

• Adds support for the npm enterprise URLs when computing the offline mirror filenames.

  #​7200 - John Millikin

• Tweaks the lockfile parser logic to parse a few extra cases

  #​7210 - Maël Nison

---

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

As this PR has been closed unmerged, Renovate will now ignore this update (^1.15.2). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the ignoreDeps array of your renovate config.

If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.