New Yarn version, package.json bin causes warning

[Beanow]

With the recent security changes: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

It causes a warning

warning sha.js@2.4.11: Invalid bin entry for "sha.js" (in "sha.js").

[fanatid]

I do not see warning...

$ npm i sha.js
npm WARN saveError ENOENT: no such file or directory, open '/home/kirill/tmp/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/home/kirill/tmp/package.json'
npm WARN tmp No description
npm WARN tmp No repository field.
npm WARN tmp No README data
npm WARN tmp No license field.

+ sha.js@2.4.11
added 3 packages from 2 contributors and audited 3 packages in 1.295s
found 0 vulnerabilities

$ npm --version
6.13.4

$ node --version
v13.5.0

[Beanow]

You're right I narrowed it down to just yarn v1.21.1.

yarn cache clean
yarn add sha.js

# warning sha.js@2.4.11: Invalid bin entry for "sha.js" (in "sha.js").

When the cache isn't cleared, the warning doesn't show up next time. Even in a fresh directory.

[fanatid]

So the fix will be remove bin at all or change package.json to?

"bin": {
  "shajs":"./bin.js"
},

[Beanow]

I'm not certain about the fix, just happened to encounter this in the wild. It shouldn't be required by the security patch to remove it entirely though. Especially locally like we're doing here a properly formatted bin is expected to work.