Bumps yarn from 1.7.0 to 1.19.2. This update includes a security fix.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.*
> **High severity vulnerability that affects yarn**
> Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
>
> Affected versions: < 1.17.3
Release notes
*Sourced from [yarn's releases](https://github.com/yarnpkg/yarn/releases).*
> ## v1.19.2
> No release notes provided.
>
> ## v1.19.1
> No release notes provided.
>
> ## v1.19.0
> No release notes provided.
>
> ## v1.18.0
> No release notes provided.
>
> ## v1.17.3
> No release notes provided.
>
> ## v1.17.2
> No release notes provided.
>
> ## v1.17.1
> No release notes provided.
>
> ## v1.17.0
> No release notes provided.
>
> ## v1.16.0
> No release notes provided.
>
> ## v1.15.2
> No release notes provided.
>
> ## v1.15.1
> No release notes provided.
>
> ## v1.15.0
> No release notes provided.
>
> ## v1.14.0
> No release notes provided.
>
> ## v1.13.0
> - Implements a new `package.json` field: `peerDependenciesMeta`
>
> [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Adds an `optional` settings to `peerDependenciesMeta` to silence missing peer dependency warnings
>
> [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Implements `yarn policies set-version [range]`. Check [the documentation]() for usage & tips.
>
> ... (truncated)
Changelog
*Sourced from [yarn's changelog](https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md).*
> # Changelog
>
> Please add one entry in this file for each change in Yarn's behavior. Use the same format for all entries, including the third-person verb. Make sure you don't add more than one line of text to keep it clean. Thanks!
>
> ## Master
>
> - Folders like `.cache` won't be pruned from the `node_modules` after each install.
>
> [#7699](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7699) - [**Maël Nison**](https://twitter.com/arcanis)
>
> - Correctly installs workspace child dependencies when workspace child not symlinked to root.
>
> [#7289](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7289) - [**Daniel Tschinder**](https://github.com/danez)
>
> - Makes running scripts with Plug'n Play possible on node 13.
>
> [#7650](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7650) - [**Sander Verweij**](https://github.com/sverweij)
>
> - Change run command to check cwd/node_modules/.bin for commands. Fixes run in workspaces.
>
> [#7151](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7151) - [**Jeff Valore**](https://twitter.com/codingwithspike)
>
> ## 1.19.1
>
> **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
>
> - Computes the `--modules-folder` & friends paths based on the cwd.
>
> [#7607](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7607) - [**mbpreble**](https://github.com/mbpreble)
>
> - Stores the sha512 in the cache even when not provided by the server.
>
> [#7591](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7591) - [**Maël Nison**](https://twitter.com/arcanis) / [#7595](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7595) - [**Michael**](https://github.com/Blasz)
>
> - Uses the right Node binary when using `yarn-path`.
>
> [#7592](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7592) - [**Maël Nison**](https://twitter.com/arcanis)
>
> ## 1.19.0
>
> **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
>
> - Fixes a potential vulnerability regarding how the build artifacts are stored
>
> Reported by [**ChALkeR**](https://github.com/ChALkeR), fixed by [**Maël Nison**](https://twitter.com/arcanis)
>
> ## 1.18.0
>
> - Suggests using the Yarn 2 development trunk on PnP-enabled projects
>
> ... (truncated)
Commits
- [`823b64c`](https://github.com/yarnpkg/yarn/commit/823b64c4597ba33050dbe71415223ecd77b609ef) v1.19.2
- [`999b2b4`](https://github.com/yarnpkg/yarn/commit/999b2b45c95f8f14c2997838ccf5a55cbcc28d42) Prevents cache removal when running an install ([#7699](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7699))
- [`a9f57e5`](https://github.com/yarnpkg/yarn/commit/a9f57e5c59636abc4592fed821c0305b42dc8656) Correctly install workspace child deps when workspace child not symlinked to ...
- [`62e83f3`](https://github.com/yarnpkg/yarn/commit/62e83f335e4769d70a0d18c23e7e3d551386ab8b) make running with Plug'n Play possible on node 13 ([#7650](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7650))
- [`bac6c54`](https://github.com/yarnpkg/yarn/commit/bac6c54af6c52876440c68d53c55e990e7bd3182) ci(circleci): prevent timeout on circle-ci macos node10 build ([#7651](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7651))
- [`45ea61b`](https://github.com/yarnpkg/yarn/commit/45ea61bbc1f1066e837d3402edba834ef5982176) fix(run): add cwd/node_modules/.bin to run command search path ([#7151](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7151))
- [`3e0a32c`](https://github.com/yarnpkg/yarn/commit/3e0a32c990cfc340899a9c911282f88cf69215b3) Update CHANGELOG.md
- [`d03a083`](https://github.com/yarnpkg/yarn/commit/d03a0830d07af230e0e7669948a4773be0e2e790) Update CHANGELOG.md
- [`213433c`](https://github.com/yarnpkg/yarn/commit/213433c2902a2d9bd208894a75a0691f42b9e5cb) Update CHANGELOG.md
- [`cabd2c5`](https://github.com/yarnpkg/yarn/commit/cabd2c5d07910d99dc47cb5736899f24aa720fc0) v1.19.1
- Additional commits viewable in [compare view](https://github.com/yarnpkg/yarn/compare/v1.7.0...v1.19.2)
Maintainer changes
This version was pushed to npm by [danbuild](https://www.npmjs.com/~danbuild), a new releaser for yarn since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps yarn from 1.7.0 to 1.19.2. This update includes a security fix.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects yarn** > Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network. > > Affected versions: < 1.17.3Release notes
*Sourced from [yarn's releases](https://github.com/yarnpkg/yarn/releases).* > ## v1.19.2 > No release notes provided. > > ## v1.19.1 > No release notes provided. > > ## v1.19.0 > No release notes provided. > > ## v1.18.0 > No release notes provided. > > ## v1.17.3 > No release notes provided. > > ## v1.17.2 > No release notes provided. > > ## v1.17.1 > No release notes provided. > > ## v1.17.0 > No release notes provided. > > ## v1.16.0 > No release notes provided. > > ## v1.15.2 > No release notes provided. > > ## v1.15.1 > No release notes provided. > > ## v1.15.0 > No release notes provided. > > ## v1.14.0 > No release notes provided. > > ## v1.13.0 > - Implements a new `package.json` field: `peerDependenciesMeta` > > [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis) > > - Adds an `optional` settings to `peerDependenciesMeta` to silence missing peer dependency warnings > > [#6671](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/6671) - [**Maël Nison**](https://twitter.com/arcanis) > > - Implements `yarn policies set-version [range]`. Check [the documentation]() for usage & tips. > > ... (truncated)Changelog
*Sourced from [yarn's changelog](https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md).* > # Changelog > > Please add one entry in this file for each change in Yarn's behavior. Use the same format for all entries, including the third-person verb. Make sure you don't add more than one line of text to keep it clean. Thanks! > > ## Master > > - Folders like `.cache` won't be pruned from the `node_modules` after each install. > > [#7699](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7699) - [**Maël Nison**](https://twitter.com/arcanis) > > - Correctly installs workspace child dependencies when workspace child not symlinked to root. > > [#7289](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7289) - [**Daniel Tschinder**](https://github.com/danez) > > - Makes running scripts with Plug'n Play possible on node 13. > > [#7650](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7650) - [**Sander Verweij**](https://github.com/sverweij) > > - Change run command to check cwd/node_modules/.bin for commands. Fixes run in workspaces. > > [#7151](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7151) - [**Jeff Valore**](https://twitter.com/codingwithspike) > > ## 1.19.1 > > **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal. > > - Computes the `--modules-folder` & friends paths based on the cwd. > > [#7607](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7607) - [**mbpreble**](https://github.com/mbpreble) > > - Stores the sha512 in the cache even when not provided by the server. > > [#7591](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7591) - [**Maël Nison**](https://twitter.com/arcanis) / [#7595](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7595) - [**Michael**](https://github.com/Blasz) > > - Uses the right Node binary when using `yarn-path`. > > [#7592](https://github-redirect.dependabot.com/yarnpkg/yarn/pull/7592) - [**Maël Nison**](https://twitter.com/arcanis) > > ## 1.19.0 > > **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal. > > - Fixes a potential vulnerability regarding how the build artifacts are stored > > Reported by [**ChALkeR**](https://github.com/ChALkeR), fixed by [**Maël Nison**](https://twitter.com/arcanis) > > ## 1.18.0 > > - Suggests using the Yarn 2 development trunk on PnP-enabled projects > > ... (truncated)Commits
- [`823b64c`](https://github.com/yarnpkg/yarn/commit/823b64c4597ba33050dbe71415223ecd77b609ef) v1.19.2 - [`999b2b4`](https://github.com/yarnpkg/yarn/commit/999b2b45c95f8f14c2997838ccf5a55cbcc28d42) Prevents cache removal when running an install ([#7699](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7699)) - [`a9f57e5`](https://github.com/yarnpkg/yarn/commit/a9f57e5c59636abc4592fed821c0305b42dc8656) Correctly install workspace child deps when workspace child not symlinked to ... - [`62e83f3`](https://github.com/yarnpkg/yarn/commit/62e83f335e4769d70a0d18c23e7e3d551386ab8b) make running with Plug'n Play possible on node 13 ([#7650](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7650)) - [`bac6c54`](https://github.com/yarnpkg/yarn/commit/bac6c54af6c52876440c68d53c55e990e7bd3182) ci(circleci): prevent timeout on circle-ci macos node10 build ([#7651](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7651)) - [`45ea61b`](https://github.com/yarnpkg/yarn/commit/45ea61bbc1f1066e837d3402edba834ef5982176) fix(run): add cwd/node_modules/.bin to run command search path ([#7151](https://github-redirect.dependabot.com/yarnpkg/yarn/issues/7151)) - [`3e0a32c`](https://github.com/yarnpkg/yarn/commit/3e0a32c990cfc340899a9c911282f88cf69215b3) Update CHANGELOG.md - [`d03a083`](https://github.com/yarnpkg/yarn/commit/d03a0830d07af230e0e7669948a4773be0e2e790) Update CHANGELOG.md - [`213433c`](https://github.com/yarnpkg/yarn/commit/213433c2902a2d9bd208894a75a0691f42b9e5cb) Update CHANGELOG.md - [`cabd2c5`](https://github.com/yarnpkg/yarn/commit/cabd2c5d07910d99dc47cb5736899f24aa720fc0) v1.19.1 - Additional commits viewable in [compare view](https://github.com/yarnpkg/yarn/compare/v1.7.0...v1.19.2)Maintainer changes
This version was pushed to npm by [danbuild](https://www.npmjs.com/~danbuild), a new releaser for yarn since your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)