Credential access
Reads npm/yarn registry tokens, environment variables, and package scripts.
brew
JavaScript package manager. Version 1.22.22 via Homebrew; verified 2026-07-04.
agent safety
yarn manages JavaScript dependencies and package scripts with registry access.
Reads npm/yarn registry tokens, environment variables, and package scripts.
Can install packages and run scripts that modify remote systems.
Can publish packages and build release artifacts.
Gate publish, install scripts, and credentialed registry operations.
Allow local test/build after scan; require approval for publish and lifecycle scripts.
install
brew install yarnlocal Homebrew formula metadata
sudo port install yarnMacPorts ports tree · devel/yarn/Portfile · source: api.github.com
sudo apk add yarnAlpine Linux edge package indexes · yarn · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#yarnnixpkgs package indexes · pkgs/by-name/ya/yarn/package.nix · source: api.github.com
sudo pacman -S yarnArch Linux sync databases · yarn · source: geo.mirror.pkgbuild.com
sudo zypper install yarnopenSUSE Tumbleweed package metadata · yarn · source: download.opensuse.org
sudo apt install yarnpkgDebian stable package indexes · yarnpkg · source: deb.debian.org
sudo dnf install yarnpkgFedora Rawhide package metadata · yarnpkg · source: dl.fedoraproject.org
choco install yarnChocolatey community package catalog · yarn · source: community.chocolatey.org
scoop install main/yarnScoop official bucket manifest trees · bucket/yarn.json · source: api.github.com
winget install --id Yarn.Yarn -eWindows Package Manager source index · Yarn.Yarn · source: cdn.winget.microsoft.com
overview
JavaScript package manager
history
Yarn is a JavaScript package manager created to make npm-registry installs faster, more reliable, and more reproducible. The Homebrew `yarn` package points at the classic 1.x line, but the project history continues through Yarn Berry and modern Yarn releases.
Yarn was open-sourced on 2016-10-11 as a collaboration between Facebook, Exponent, Google, and Tilde. The launch post emphasized continued access to the npm registry while improving speed, consistency across machines, and secure offline operation.
The 1.x line established the features that made Yarn famous: a lockfile, deterministic installs, a global cache, offline mode, checksums, concurrency, and workspace-oriented workflows. The classic repository README now says the 1.x codebase is frozen except for historical upkeep and occasional hotfixes.
Modern Yarn moved to the yarnpkg/berry repository, created in 2018. Yarn 2.0 shipped on 2020-01-24 after a year of intensive development, bringing a TypeScript codebase, plugin architecture, Plug'n'Play, workspace-aware commands, a YAML lockfile/config model, and a different release and migration story from classic Yarn. Yarn 4.0 followed in 2023 after a long release-candidate cycle focused on reducing migration pain and improving user experience.
Yarn's adoption was fast because it solved immediate pain in large JavaScript dependency trees: slow installs, non-determinism, network fragility, and inconsistent environments. It did not replace the npm registry; it competed at the client and workflow layer while consuming the same package ecosystem.
Classic Yarn became common in CI systems, monorepos, front-end applications, and open-source JavaScript projects. Later Yarn adoption split into two cultures: projects staying on stable 1.22.x for node_modules compatibility and projects moving to Berry for Plug'n'Play, constraints, plugins, workspaces, and zero-install workflows.
Typical classic workflows are `yarn install`, `yarn add`, `yarn remove`, `yarn upgrade`, and `yarn run`, with `yarn.lock` committed so dependency resolution is reproducible. Workspaces let monorepos manage multiple packages in a single install graph.
Modern Yarn expands that usage into project management: `yarn set version`, plugins, constraints, workspace foreach commands, patch protocols, portable script execution, and selectable install strategies including node_modules and Plug'n'Play.
Yarn is one of the defining package-manager projects of the 2010s because it forced JavaScript tooling to treat reproducibility, lockfiles, cache behavior, and CI determinism as first-class package-manager features. Its competition with npm changed expectations for every JavaScript dependency client that followed.
For package nerds, Yarn is also a rare case where the package manager itself has two living historical identities: Yarn Classic as the widely packaged 1.x executable and Yarn Berry/Modern as the active architecture with plugins, PnP, and project-management features.
security posture
package manager and supply-chain mutator.
orange risk · high confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
.yarnrcexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
yarn | cli | global executable | |
yarnpkg | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/yarnpkg/yarn
install metadata
| Package key | brew:yarn |
|---|---|
| Version | 1.22.22 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/yarn |
| Homepage | https://yarnpkg.com/ |
| Repository | https://github.com/yarnpkg/yarn |
| Upstream docs | https://classic.yarnpkg.com/en/docs |
| License | BSD-2-Clause |
| Source archive | https://github.com/yarnpkg/yarn/releases/download/v1.22.22/yarn-v1.22.22.tar.gz |
| Last updated | 2026-07-04T13:13:45+09:00 |
| Pulse | updated |
| Bottle | available (on all) |
| Homebrew post-install | not defined |
| Service | none declared |
| Caveats | yarn requires a Node installation to function. You can install one with: brew install node |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | yarn |
| Version Scheme | 0 |
| Revision | 0 |
| Conflicts With |
|
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
yarn
nix profile install nixpkgs#yarnyarn 1.22.22-r1
Fast, reliable, and secure dependency management for Node.js
sudo apk add yarnyarn 1.22.22-2
Fast, reliable, and secure dependency management
sudo pacman -S yarnyarn 1.22.22-1.4
📦🐈 Fast, reliable, and secure dependency management
https://github.com/yarnpkg/yarn/releases
sudo zypper install yarnyarn
sudo port install yarnyarn
choco install yarnmain/yarn
scoop install main/yarnYarn.Yarn
winget install --id Yarn.Yarn -eyarnpkg 4.1.0+dfsg-1
Fast, reliable, and secure dependency management
https://github.com/yarnpkg/berry
sudo apt install yarnpkgyarnpkg 1.22.19+~cs24.27.18-4
Fast, reliable and secure npm alternative
https://github.com/yarnpkg/yarn
sudo apt install yarnpkgyarnpkg 1.22.22-18.fc45
Fast, reliable, and secure dependency management.
https://github.com/yarnpkg/yarn
sudo dnf install yarnpkgsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.