Closed12

Yarn v4.0が出たらしい

hajimismhajimism

Breaking Changes

Here's what you need to know when upgrading from 3.x projects:

  • We now require Node.js 18+.
  • New projects created with yarn init won't enable Zero-Install by default anymore.
  • New projects created with yarn init will use Corepack rather than yarnPath.
  • All official plugins (typescript, interactive-tools, ...) are now included by default.
  • The yarn workspaces foreach command has a slightly altered syntax.

Node 18なら移行は基本的には大丈夫そうかな?

hajimismhajimism

Hardened Mode

Yarn attempts to protect you from common attacks, and this is pushed even further by the introduction of the Hardened Mode. When operating under this mode, Yarn will perform two extra validations:

  • It will validate the resolutions stored in the lockfile are consistent with what the ranges could resolve to.
  • It will validate that the package metadata stored in the lockfile are consistent the remote registry metadata.

Together, those checks will prevent any attacker from surreptitiously modifying your lockfiles when making PRs to your project using Yarn (https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/).

これなー、CIむずいんだよねー

hajimismhajimism

下に書いてあったわ

Installs operating under Hardened Mode constraints are significantly slower than usual as they need to perform many network requests that would be skipped otherwise. We don't recommend enabling it by default - if you need it in a specific CI job, toggle it on via an environment variable:

hajimismhajimism

yarn installのときにパッケージサイズが表示されるようになったらしい

➤ YN0000: · Yarn 4.0.0
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + next@npm:13.5.4, react-dom@npm:18.2.0, and 24 more.
➤ YN0000: └ Completed in 0s 280ms
➤ YN0000: ┌ Fetch step
➤ YN0013: │ 22 packages were added to the project (+ 177.72 MiB).
➤ YN0000: └ Completed in 3s 723ms
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done with warnings in 4s 123ms
hajimismhajimism

The 4.0 isn't lagging behind in performance improvements, and shows to be significantly faster at installs than the 3.6. For instance, here's the difference in time to install Gatsby and its ~350MiB dependency tree from a cold cache. The 3x improved performances are due to a new package metadata cache which significantly improves performances of repeated installs:

なんか早くなってるらしい。キャッシュ?

hajimismhajimism

Our aim for this new iteration has been to both decrease Yarn's learning curve and improve your user experience, without the migration feeling overwhelming.

なんかlearning curveて特徴的な言い回しだな。Constraintsの刷新のとこでも書いてあった

hajimismhajimism

手元のプロジェクトはvoltaで管理してたから、package.jsonをいじったらすぐ切り替えができた。Corepack使ってても同じか。Corepackのほうがいいんだろうな。

  "volta": {
    "node": "18.16.0",
    "yarn": "4.0.0"
  }
このスクラップは2023/10/24にクローズされました