認証情報アクセス
Reads npm/yarn registry tokens, environment variables, and package scripts.
brew
yarn のインストール経路、実行ファイル、メタデータ、AI エージェント向けセキュリティノートを確認します。
エージェント安全性
yarn manages JavaScript dependencies and package scripts with registry access.
Reads npm/yarn registry tokens, environment variables, and package scripts.
Can install packages and run scripts that modify remote systems.
Can publish packages and build release artifacts.
Gate publish, install scripts, and credentialed registry operations.
Allow local test/build after scan; require approval for publish and lifecycle scripts.
インストール
brew install yarnlocal Homebrew formula metadata
sudo port install yarnMacPorts ports tree · devel/yarn/Portfile · ソース: api.github.com
sudo apk add yarnAlpine Linux edge package indexes · yarn · ソース: dl-cdn.alpinelinux.org
nix profile install nixpkgs#yarnnixpkgs package indexes · pkgs/by-name/ya/yarn/package.nix · ソース: api.github.com
sudo pacman -S yarnArch Linux sync databases · yarn · ソース: geo.mirror.pkgbuild.com
sudo zypper install yarnopenSUSE Tumbleweed package metadata · yarn · ソース: download.opensuse.org
sudo apt install yarnpkgDebian stable package indexes · yarnpkg · ソース: deb.debian.org
sudo dnf install yarnpkgFedora Rawhide package metadata · yarnpkg · ソース: dl.fedoraproject.org
choco install yarnChocolatey community package catalog · yarn · ソース: community.chocolatey.org
scoop install main/yarnScoop official bucket manifest trees · bucket/yarn.json · ソース: api.github.com
winget install --id Yarn.Yarn -eWindows Package Manager source index · Yarn.Yarn · ソース: cdn.winget.microsoft.com
概要
JavaScript package manager
履歴
Yarn is a JavaScript package manager created to make npm-registry installs faster, more reliable, and more reproducible. The Homebrew `yarn` package points at the classic 1.x line, but the project history continues through Yarn Berry and modern Yarn releases.
Yarn was open-sourced on 2016-10-11 as a collaboration between Facebook, Exponent, Google, and Tilde. The launch post emphasized continued access to the npm registry while improving speed, consistency across machines, and secure offline operation.
The 1.x line established the features that made Yarn famous: a lockfile, deterministic installs, a global cache, offline mode, checksums, concurrency, and workspace-oriented workflows. The classic repository README now says the 1.x codebase is frozen except for historical upkeep and occasional hotfixes.
Modern Yarn moved to the yarnpkg/berry repository, created in 2018. Yarn 2.0 shipped on 2020-01-24 after a year of intensive development, bringing a TypeScript codebase, plugin architecture, Plug'n'Play, workspace-aware commands, a YAML lockfile/config model, and a different release and migration story from classic Yarn. Yarn 4.0 followed in 2023 after a long release-candidate cycle focused on reducing migration pain and improving user experience.
Yarn's adoption was fast because it solved immediate pain in large JavaScript dependency trees: slow installs, non-determinism, network fragility, and inconsistent environments. It did not replace the npm registry; it competed at the client and workflow layer while consuming the same package ecosystem.
Classic Yarn became common in CI systems, monorepos, front-end applications, and open-source JavaScript projects. Later Yarn adoption split into two cultures: projects staying on stable 1.22.x for node_modules compatibility and projects moving to Berry for Plug'n'Play, constraints, plugins, workspaces, and zero-install workflows.
Typical classic workflows are `yarn install`, `yarn add`, `yarn remove`, `yarn upgrade`, and `yarn run`, with `yarn.lock` committed so dependency resolution is reproducible. Workspaces let monorepos manage multiple packages in a single install graph.
Modern Yarn expands that usage into project management: `yarn set version`, plugins, constraints, workspace foreach commands, patch protocols, portable script execution, and selectable install strategies including node_modules and Plug'n'Play.
Yarn is one of the defining package-manager projects of the 2010s because it forced JavaScript tooling to treat reproducibility, lockfiles, cache behavior, and CI determinism as first-class package-manager features. Its competition with npm changed expectations for every JavaScript dependency client that followed.
For package nerds, Yarn is also a rare case where the package manager itself has two living historical identities: Yarn Classic as the widely packaged 1.x executable and Yarn Berry/Modern as the active architecture with plugins, PnP, and project-management features.
セキュリティ状態
package manager and supply-chain mutator.
リスク orange · 信頼度 高 · infrastructure
エージェントに無人実行させる前に、このツールが平文の認証情報を読むか、リモート状態を書き込むか、成果物を公開するか、プラグインを起動するかを確認してください。
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
.yarnrc実行可能ファイル
| コマンド | 種類 | 公開範囲 | メモ |
|---|---|---|---|
yarn | cli | グローバル実行可能ファイル | |
yarnpkg | cli | グローバル実行可能ファイル |
鮮度
これらの信号は、ページ生成時期、パッケージマネージャの活動、上流リリース比較を分けて示します。バージョン遅れは、証拠 URL と比較可能なバージョンがある場合だけ警告されます。
https://github.com/yarnpkg/yarn
インストールメタデータ
| パッケージキー | brew:yarn |
|---|---|
| バージョン | 1.22.22 |
| パッケージマネージャ | Homebrew |
| パッケージマネージャページ | https://formulae.brew.sh/formula/yarn |
| ホームページ | https://yarnpkg.com/ |
| リポジトリ | https://github.com/yarnpkg/yarn |
| 上流ドキュメント | https://classic.yarnpkg.com/en/docs |
| ライセンス | BSD-2-Clause |
| ソースアーカイブ | https://github.com/yarnpkg/yarn/releases/download/v1.22.22/yarn-v1.22.22.tar.gz |
| 最終更新 | 2026-07-04T13:13:45+09:00 |
| Pulse | updated |
| Bottle | 利用可能 (対象 all) |
| Homebrew post-install | 未定義 |
| サービス | 宣言なし |
| 注意点 | yarn requires a Node installation to function. You can install one with: brew install node |
レジストリ情報
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | yarn |
| Version Scheme | 0 |
| Revision | 0 |
| Conflicts With |
|
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
ソースデータベース一致
一致は外部パッケージマネージャインデックスから取得され、ローカルの Automic Vault パッケージリンクとは分けて表示されます。
yarn
nix profile install nixpkgs#yarnyarn 1.22.22-r1
Fast, reliable, and secure dependency management for Node.js
sudo apk add yarnyarn 1.22.22-2
Fast, reliable, and secure dependency management
sudo pacman -S yarnyarn 1.22.22-1.4
📦🐈 Fast, reliable, and secure dependency management
https://github.com/yarnpkg/yarn/releases
sudo zypper install yarnyarn
sudo port install yarnyarn
choco install yarnmain/yarn
scoop install main/yarnYarn.Yarn
winget install --id Yarn.Yarn -eyarnpkg 4.1.0+dfsg-1
Fast, reliable, and secure dependency management
https://github.com/yarnpkg/berry
sudo apt install yarnpkgyarnpkg 1.22.19+~cs24.27.18-4
Fast, reliable and secure npm alternative
https://github.com/yarnpkg/yarn
sudo apt install yarnpkgyarnpkg 1.22.22-18.fc45
Fast, reliable, and secure dependency management.
https://github.com/yarnpkg/yarn
sudo dnf install yarnpkgソース経路
このページは scripts/generate-pkg-sqlite.py が生成した非公開のパッケージ SQLite アーティファクトから av-web によって提供されます。
View the package source record on GitHub.