An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.
Release Notes
yarnpkg/yarn (yarn)
### [`v1.22.13`](https://togithub.com/yarnpkg/yarn/releases/tag/v1.22.13)
[Compare Source](https://togithub.com/yarnpkg/yarn/compare/v1.22.12...v1.22.13)
- Fixes a potential security issue where packages could run scripts even with `--ignore-builds` set (Windows only)
- Fixes `yarn init -y2` w/ Corepack
- `yarn set version stable` (and `canary`) will now defer to the stable & canary for upgrading the project
### [`v1.22.12`](https://togithub.com/yarnpkg/yarn/releases/tag/v1.22.12)
[Compare Source](https://togithub.com/yarnpkg/yarn/compare/1.22.11...v1.22.12)
Bogus release (published the wrong folder)
### [`v1.22.11`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#12211)
[Compare Source](https://togithub.com/yarnpkg/yarn/compare/1.22.10...1.22.11)
This version fixes a problem where Yarn wasn't forwarding SIGTERM to the binary spawned via `yarnPath`. It also makes `yarn init -2` compatible with [Corepack](https://togithub.com/nodejs/corepack). The behaviour of `yarn init` (without `-2`) doesn't change.
Remember that Yarn 1.x won't receive further functional improvements. We recommend you to switch to the recently-released 3.0, and to ping us on Discord if you find issues when migrating (also check our [Migration Guide](https://yarnpkg.com/getting-started/migration#why-should-you-migrate)).
### [`v1.22.10`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#12210-and-prior)
- Tweak the preinstall check to not cause errors when Node is installed as root (as a downside, it won't run at all on Windows, which should be an acceptable tradeoff): [https://github.com/yarnpkg/yarn/issues/8358](https://togithub.com/yarnpkg/yarn/issues/8358)
### [`v1.22.7`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#1227)
This release doesn't change anything and was caused by a publish issue.
### [`v1.22.6`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#1226)
- Running `yarn init` with the `-2` flag won't print the `set version` output anymore.
- A new preinstall check will ensure that `npm install -g yarn` works even under [Corepack](https://togithub.com/arcanis/corepack). It doesn't have any effect on other setups.
### [`v1.22.5`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#1225)
[Compare Source](https://togithub.com/yarnpkg/yarn/compare/v1.22.4...v1.22.5)
- Headers won't be printed when calling `yarn init` with the `-2` flag
[**Maël Nison**](https://twitter.com/arcanis)
- Files with the `.cjs` extension will be spawned by `yarnPath` using \`execPath
[#8144](https://togithub.com/yarnpkg/yarn/pull/8144) - [**bgotink**](https://togithub.com/bgotink)
- Generates local yarn verions as `.cjs` files when calling `yarn set version`
[#8145](https://togithub.com/yarnpkg/yarn/pull/8145) - [**bgotink**](https://togithub.com/bgotink)
- Sorts files when running `yarn pack` to produce identical layout on Windows and Unix systems
[#8142](https://togithub.com/yarnpkg/yarn/pull/8142) - [**Merceyz**](https://togithub.com/merceyz)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
1.22.4->1.22.13GitHub Vulnerability Alerts
CVE-2021-4435
An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.
Release Notes
yarnpkg/yarn (yarn)
### [`v1.22.13`](https://togithub.com/yarnpkg/yarn/releases/tag/v1.22.13) [Compare Source](https://togithub.com/yarnpkg/yarn/compare/v1.22.12...v1.22.13) - Fixes a potential security issue where packages could run scripts even with `--ignore-builds` set (Windows only) - Fixes `yarn init -y2` w/ Corepack - `yarn set version stable` (and `canary`) will now defer to the stable & canary for upgrading the project ### [`v1.22.12`](https://togithub.com/yarnpkg/yarn/releases/tag/v1.22.12) [Compare Source](https://togithub.com/yarnpkg/yarn/compare/1.22.11...v1.22.12) Bogus release (published the wrong folder) ### [`v1.22.11`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#12211) [Compare Source](https://togithub.com/yarnpkg/yarn/compare/1.22.10...1.22.11) This version fixes a problem where Yarn wasn't forwarding SIGTERM to the binary spawned via `yarnPath`. It also makes `yarn init -2` compatible with [Corepack](https://togithub.com/nodejs/corepack). The behaviour of `yarn init` (without `-2`) doesn't change. Remember that Yarn 1.x won't receive further functional improvements. We recommend you to switch to the recently-released 3.0, and to ping us on Discord if you find issues when migrating (also check our [Migration Guide](https://yarnpkg.com/getting-started/migration#why-should-you-migrate)). ### [`v1.22.10`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#12210-and-prior) - Tweak the preinstall check to not cause errors when Node is installed as root (as a downside, it won't run at all on Windows, which should be an acceptable tradeoff): [https://github.com/yarnpkg/yarn/issues/8358](https://togithub.com/yarnpkg/yarn/issues/8358) ### [`v1.22.7`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#1227) This release doesn't change anything and was caused by a publish issue. ### [`v1.22.6`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#1226) - Running `yarn init` with the `-2` flag won't print the `set version` output anymore. - A new preinstall check will ensure that `npm install -g yarn` works even under [Corepack](https://togithub.com/arcanis/corepack). It doesn't have any effect on other setups. ### [`v1.22.5`](https://togithub.com/yarnpkg/yarn/blob/HEAD/CHANGELOG.md#1225) [Compare Source](https://togithub.com/yarnpkg/yarn/compare/v1.22.4...v1.22.5) - Headers won't be printed when calling `yarn init` with the `-2` flag [**Maël Nison**](https://twitter.com/arcanis) - Files with the `.cjs` extension will be spawned by `yarnPath` using \`execPath [#8144](https://togithub.com/yarnpkg/yarn/pull/8144) - [**bgotink**](https://togithub.com/bgotink) - Generates local yarn verions as `.cjs` files when calling `yarn set version` [#8145](https://togithub.com/yarnpkg/yarn/pull/8145) - [**bgotink**](https://togithub.com/bgotink) - Sorts files when running `yarn pack` to produce identical layout on Windows and Unix systems [#8142](https://togithub.com/yarnpkg/yarn/pull/8142) - [**Merceyz**](https://togithub.com/merceyz)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.