Skip to content

Update dependency yarn to v1.22.13 [SECURITY]#269

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-yarn-vulnerability
Open

Update dependency yarn to v1.22.13 [SECURITY]#269
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-yarn-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate bot commented Feb 21, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
yarn 1.22.41.22.13 age confidence

GitHub Vulnerability Alerts

CVE-2021-4435

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

Release Notes

yarnpkg/yarn (yarn)

v1.22.13

Compare Source

  • Fixes a potential security issue where packages could run scripts even with --ignore-builds set (Windows only)
  • Fixes yarn init -y2 w/ Corepack
  • yarn set version stable (and canary) will now defer to the stable & canary for upgrading the project

v1.22.12

Compare Source

Bogus release (published the wrong folder)

v1.22.11

Compare Source

This version fixes a problem where Yarn wasn't forwarding SIGTERM to the binary spawned via yarnPath. It also makes yarn init -2 compatible with Corepack. The behaviour of yarn init (without -2) doesn't change.

Remember that Yarn 1.x won't receive further functional improvements. We recommend you to switch to the recently-released 3.0, and to ping us on Discord if you find issues when migrating (also check our Migration Guide).

v1.22.10

  • Tweak the preinstall check to not cause errors when Node is installed as root (as a downside, it won't run at all on Windows, which should be an acceptable tradeoff): #​8358

v1.22.7

This release doesn't change anything and was caused by a publish issue.

v1.22.6

  • Running yarn init with the -2 flag won't print the set version output anymore.

  • A new preinstall check will ensure that npm install -g yarn works even under Corepack. It doesn't have any effect on other setups.

v1.22.5

Compare Source

  • Headers won't be printed when calling yarn init with the -2 flag

    Maël Nison

  • Files with the .cjs extension will be spawned by yarnPath using `execPath

    #​8144 - bgotink

  • Generates local yarn verions as .cjs files when calling yarn set version

    #​8145 - bgotink

  • Sorts files when running yarn pack to produce identical layout on Windows and Unix systems

    #​8142 - Merceyz

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency yarn to v1.22.13 [SECURITY] Update dependency yarn to v1.22.13 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-yarn-vulnerability branch March 27, 2026 00:53
@renovate renovate bot changed the title Update dependency yarn to v1.22.13 [SECURITY] - autoclosed Update dependency yarn to v1.22.13 [SECURITY] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-yarn-vulnerability branch 2 times, most recently from 6353f2a to c9739b5 Compare March 30, 2026 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants