Bumps yarn from 1.7.0 to 1.19.1. This update includes a security fix.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.*
> **High severity vulnerability that affects yarn**
> Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
>
> Affected versions: < 1.17.3
Release notes
*Sourced from [yarn's releases](https://github.com/yarnpkg/yarn/releases).*
> ## v1.19.1
> No release notes provided.
>
> ## v1.19.0
> No release notes provided.
>
> ## v1.18.0
> No release notes provided.
>
> ## v1.17.3
> No release notes provided.
>
> ## v1.17.2
> No release notes provided.
>
> ## v1.17.1
> No release notes provided.
>
> ## v1.17.0
> No release notes provided.
>
> ## v1.16.0
> No release notes provided.
>
> ## v1.15.2
> No release notes provided.
>
> ## v1.15.1
> No release notes provided.
>
> ## v1.15.0
> No release notes provided.
>
> ## v1.14.0
> No release notes provided.
>
> ## v1.13.0
> - Implements a new `package.json` field: `peerDependenciesMeta`
>
> [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Adds an `optional` settings to `peerDependenciesMeta` to silence missing peer dependency warnings
>
> [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Implements `yarn policies set-version [range]`. Check [the documentation]() for usage & tips.
>
> [#6673](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6673) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Fixes a resolution issue when a package had an invalid `main` entry
> ... (truncated)
Changelog
*Sourced from [yarn's changelog](https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md).*
> ## 1.19.1
>
> **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
>
> - Computes the `--modules-folder` & friends paths based on the cwd.
>
> [#7607](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7607) - [**mbpreble**](https://github.com/mbpreble)
>
> - Stores the sha512 in the cache even when not provided by the server.
>
> [#7591](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7591) - [**Maël Nison**](https://twitter.com/arcanis) / [#7595](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7595) - [**Michael**](https://github.com/Blasz)
>
> - Uses the right Node binary when using `yarn-path`.
>
> [#7592](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7592) - [**Maël Nison**](https://twitter.com/arcanis)
>
> ## 1.19.0
>
> **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
>
> - Fixes a potential vulnerability regarding how the build artifacts are stored
>
> Reported by [**ChALkeR**](https://github.com/ChALkeR), fixed by [**Maël Nison**](https://twitter.com/arcanis)
>
> ## 1.18.0
>
> - Suggests using the Yarn 2 development trunk on PnP-enabled projects
>
> [#7512](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Preserves linked packages when calling `yarn create`
>
> [#7543](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7543) - [**Nick McCurdy**](https://github.com/nickmccurdy)
>
> - Fixes the offline mirror filenames when using Verdaccio
>
> [#7499](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7499) - [**xv2**](https://github.com/xv2)
>
> - Fixes using `link:.` to refer to the package folder
>
> [#7512](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Runs the `prepare` lifecycle of git dependencies even if `NODE_ENV` is set to `production`.
>
> [#7398](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7398) - [**John Firebaugh**](https://github.com/jfirebaugh)
>
> - Fixes the `postversion` lifecycle method not being called when using `--no-git-tag-version`.
>
> [#7154](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7154) - [**Hampus Tågerud**](https://github.com/hampustagerud)
>
> ... (truncated)
Commits
- [`cabd2c5`](https://github.com/yarnpkg/yarn/commit/cabd2c5d07910d99dc47cb5736899f24aa720fc0) v1.19.1
- [`5dae655`](https://github.com/yarnpkg/yarn/commit/5dae65559e403dfc55f7491d4bf26f60bdf061ad) Resolves folder options (i.e. --modules-folder) relative to cwd ([#7074](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7074)) ([#7607](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7607))
- [`1319691`](https://github.com/yarnpkg/yarn/commit/13196918720ed1f2634bf804b86cf213f2c1c677) Fix cache integrity check false-positives across multiple registries ([#7595](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7595))
- [`1ff9acc`](https://github.com/yarnpkg/yarn/commit/1ff9acc453c5766cbb2dbbc806a941c6622b1922) Enforces sha512 in the cache ([#7591](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7591))
- [`4ce48ce`](https://github.com/yarnpkg/yarn/commit/4ce48ce3dfa6f6b95b91d33eb4f1330f3bb10969) Fixes Node forwarding w/ yarn-path ([#7592](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7592))
- [`52986be`](https://github.com/yarnpkg/yarn/commit/52986be4d38dae08ac2c6b4b2e1be9f2f842a4cc) Use different folders with integrity or without ([#7586](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7586))
- [`c3d256f`](https://github.com/yarnpkg/yarn/commit/c3d256fcf641de4fe8d4d6034a2b046fafae30c0) v1.19.0
- [`34efd23`](https://github.com/yarnpkg/yarn/commit/34efd23305b9da701aae96f29302b71a5a0ea2e6) Adds a check for the hash too
- [`fa74645`](https://github.com/yarnpkg/yarn/commit/fa746451eeae79ec35e87bbec14576d6831984fe) Validation fix ([#7582](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7582))
- [`29a8c58`](https://github.com/yarnpkg/yarn/commit/29a8c583179ec77b5fdcdd3ce348bbe08ecd2abf) Fixes the problem another way
- Additional commits viewable in [compare view](https://github.com/yarnpkg/yarn/compare/v1.7.0...v1.19.1)
Maintainer changes
This version was pushed to npm by [danbuild](https://www.npmjs.com/~danbuild), a new releaser for yarn since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps yarn from 1.7.0 to 1.19.1. This update includes a security fix.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects yarn** > Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network. > > Affected versions: < 1.17.3Release notes
*Sourced from [yarn's releases](https://github.com/yarnpkg/yarn/releases).* > ## v1.19.1 > No release notes provided. > > ## v1.19.0 > No release notes provided. > > ## v1.18.0 > No release notes provided. > > ## v1.17.3 > No release notes provided. > > ## v1.17.2 > No release notes provided. > > ## v1.17.1 > No release notes provided. > > ## v1.17.0 > No release notes provided. > > ## v1.16.0 > No release notes provided. > > ## v1.15.2 > No release notes provided. > > ## v1.15.1 > No release notes provided. > > ## v1.15.0 > No release notes provided. > > ## v1.14.0 > No release notes provided. > > ## v1.13.0 > - Implements a new `package.json` field: `peerDependenciesMeta` > > [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis) > > - Adds an `optional` settings to `peerDependenciesMeta` to silence missing peer dependency warnings > > [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis) > > - Implements `yarn policies set-version [range]`. Check [the documentation]() for usage & tips. > > [#6673](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6673) - [**Maël Nison**](https://twitter.com/arcanis) > > - Fixes a resolution issue when a package had an invalid `main` entry > ... (truncated)Changelog
*Sourced from [yarn's changelog](https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md).* > ## 1.19.1 > > **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal. > > - Computes the `--modules-folder` & friends paths based on the cwd. > > [#7607](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7607) - [**mbpreble**](https://github.com/mbpreble) > > - Stores the sha512 in the cache even when not provided by the server. > > [#7591](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7591) - [**Maël Nison**](https://twitter.com/arcanis) / [#7595](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7595) - [**Michael**](https://github.com/Blasz) > > - Uses the right Node binary when using `yarn-path`. > > [#7592](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7592) - [**Maël Nison**](https://twitter.com/arcanis) > > ## 1.19.0 > > **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal. > > - Fixes a potential vulnerability regarding how the build artifacts are stored > > Reported by [**ChALkeR**](https://github.com/ChALkeR), fixed by [**Maël Nison**](https://twitter.com/arcanis) > > ## 1.18.0 > > - Suggests using the Yarn 2 development trunk on PnP-enabled projects > > [#7512](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis) > > - Preserves linked packages when calling `yarn create` > > [#7543](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7543) - [**Nick McCurdy**](https://github.com/nickmccurdy) > > - Fixes the offline mirror filenames when using Verdaccio > > [#7499](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7499) - [**xv2**](https://github.com/xv2) > > - Fixes using `link:.` to refer to the package folder > > [#7512](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis) > > - Runs the `prepare` lifecycle of git dependencies even if `NODE_ENV` is set to `production`. > > [#7398](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7398) - [**John Firebaugh**](https://github.com/jfirebaugh) > > - Fixes the `postversion` lifecycle method not being called when using `--no-git-tag-version`. > > [#7154](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7154) - [**Hampus Tågerud**](https://github.com/hampustagerud) > > ... (truncated)Commits
- [`cabd2c5`](https://github.com/yarnpkg/yarn/commit/cabd2c5d07910d99dc47cb5736899f24aa720fc0) v1.19.1 - [`5dae655`](https://github.com/yarnpkg/yarn/commit/5dae65559e403dfc55f7491d4bf26f60bdf061ad) Resolves folder options (i.e. --modules-folder) relative to cwd ([#7074](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7074)) ([#7607](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7607)) - [`1319691`](https://github.com/yarnpkg/yarn/commit/13196918720ed1f2634bf804b86cf213f2c1c677) Fix cache integrity check false-positives across multiple registries ([#7595](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7595)) - [`1ff9acc`](https://github.com/yarnpkg/yarn/commit/1ff9acc453c5766cbb2dbbc806a941c6622b1922) Enforces sha512 in the cache ([#7591](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7591)) - [`4ce48ce`](https://github.com/yarnpkg/yarn/commit/4ce48ce3dfa6f6b95b91d33eb4f1330f3bb10969) Fixes Node forwarding w/ yarn-path ([#7592](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7592)) - [`52986be`](https://github.com/yarnpkg/yarn/commit/52986be4d38dae08ac2c6b4b2e1be9f2f842a4cc) Use different folders with integrity or without ([#7586](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7586)) - [`c3d256f`](https://github.com/yarnpkg/yarn/commit/c3d256fcf641de4fe8d4d6034a2b046fafae30c0) v1.19.0 - [`34efd23`](https://github.com/yarnpkg/yarn/commit/34efd23305b9da701aae96f29302b71a5a0ea2e6) Adds a check for the hash too - [`fa74645`](https://github.com/yarnpkg/yarn/commit/fa746451eeae79ec35e87bbec14576d6831984fe) Validation fix ([#7582](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7582)) - [`29a8c58`](https://github.com/yarnpkg/yarn/commit/29a8c583179ec77b5fdcdd3ce348bbe08ecd2abf) Fixes the problem another way - Additional commits viewable in [compare view](https://github.com/yarnpkg/yarn/compare/v1.7.0...v1.19.1)Maintainer changes
This version was pushed to npm by [danbuild](https://www.npmjs.com/~danbuild), a new releaser for yarn since your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)