How to identify which version of Yarn is used by a project?

Asked 23/5, 2022 at 9:17 Answered 20/6 at 14:7

For the OSS Review Toolkit project, I would like to identify which version of yarn is used by a given project in a given repository.

Which criteria should be used ? There is:

package.json/packageManager which requires Corepack and may not be used by all projects.
look at the version .yarn/releases/*
check the .yarnrc file: if this is yarnrc.yml then this is Yarn 2+.
the version in yarn.lock seems to not be related to the Yarn version used for the project (but please correct me if I am wrong).

Is there any other criteria that could be used to disambiguiate if this is a Yarn 1, 2 or 3 project ?

Rist answered 23/5, 2022 at 9:17 Comment(4)

Why not run yarn --version? – Bechuana 28/5, 2022 at 20:29

I understand what you mean: even if you have Yarn1 installed globally, having a project configured with Yarn2+ with a .yarnrc and a .yarn/releases/XXX.cjs file, calling yarn returns the correct version, because the file in .yarn/releases/XXX.cjs will be called. – Rist 30/5, 2022 at 8:2

This raise a new concern :) If I have a project and put some malicious code in the .yarn/release/XXX.cjs file, won't I be able to compromise the users running yarn in my project source tree ? – Rist 30/5, 2022 at 8:4

Yes, but at this point it's much easier to just put a malicious postinstall script, either inside the project or hidden within of its dependencies 🤷‍♀️ – Bechuana 30/5, 2022 at 20:28

The frustrating answer is that there isn't an easy way (although there probably should be). Running yarn -v will simply show your global yarn version; not the local repo. You need to look for the same hints you listed.

Perhaps your collaborators can agree to make an arbitrary .yarnver file that simply contains something like:

1.22.11

Verbena answered 16/9, 2022 at 3:35 Comment(0)

In my experience, it shows the version of yarn being run when you perform a yarn command (e.g. yarn install) on a repository.

Effendi answered 20/6 at 14:7 Comment(0)

Recommended topics

Hot tags