npm package

@yarnpkg/core

2.0.0-rc.30

Newer version available

Published

June 15, 2020

Links

Origin: https://registry.npmjs.org/@yarnpkg%2Fcore/2.0.0-rc.30
https://www.npmjs.com/package/@yarnpkg/core/v/2.0.0-rc.30
Repo: https://github.com/yarnpkg/berry

Projects

yarnpkg/berry

GitHub

📦🐈 Active development trunk for Yarn ⚒

1k forks

8k stars

OpenSSF scorecard

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

View information about checks and how to fix failures.

Score

2.9/10

Scorecard as of June 9, 2025.

Maintained

10/10

Determines if the project is "actively maintained".

Reasoning

30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10

Code-Review

5/10

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

Reasoning

Found 17/30 approved changesets -- score normalized to 5

CII-Best-Practices

0/10

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

Reasoning

no effort to earn an OpenSSF best practices badge detected

Dangerous-Workflow

0/10

Determines if the project's GitHub Action workflows avoid dangerous patterns.

Reasoning

dangerous workflow patterns detected

Security-Policy

9/10

Determines if the project has published a security policy.

Reasoning

security policy file detected

License

10/10

Determines if the project has defined a license.

Reasoning

license file detected

Token-Permissions

0/10

Determines if the project's workflows follow the principle of least privilege.

Reasoning

detected GitHub workflow tokens with excessive permissions

Binary-Artifacts

4/10

Determines if the project has generated executable (binary) artifacts in the source repository.

Reasoning

binaries present in source code

SAST

0/10

Determines if the project uses static code analysis.

Reasoning

SAST tool is not run on all commits -- score normalized to 0

Fuzzing

0/10

Determines if the project uses fuzzing.

Reasoning

project is not fuzzed

Pinned-Dependencies

0/10

Determines if the project has declared and pinned the dependencies of its build process.

Reasoning

dependency not pinned by hash detected -- score normalized to 0

Vulnerabilities

0/10

Determines if the project has open, known unfixed vulnerabilities.

Reasoning

61 existing vulnerabilities detected

Project metadata as of June 14, 2025.

This site uses cookies from Google to deliver its services and to analyze traffic.

Token-Permissions

Info: jobLevel 'contents' permission set to 'read': .github/workflows/pr-smart-merge.yml:30

Warn: no topLevel permission defined: .github/workflows/benchmark-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/debug.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-create-vue-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-docusaurus-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-esbuild-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-eslint-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-fsevents-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-gatsby-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-gulp-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-husky-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-jest-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-mocha-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-next-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-nm-angular-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-nm-babel-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-nm-berry-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-nyc-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-parcel-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-pnp-angular-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-prettier-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-rollup-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-storybook-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-svelte-kit-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-typescript-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-vite-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-vitest-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/e2e-webpack-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/integration-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/plugin-compat-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/pr-smart-merge.yml:1

Warn: no topLevel permission defined: .github/workflows/release-branch.yml:1

Warn: no topLevel permission defined: .github/workflows/release-candidate.yml:1

Warn: no topLevel permission defined: .github/workflows/sherlock-workflow.yml:1

Warn: no topLevel permission defined: .github/workflows/stale-workflow.yml:1

Info: no jobLevel write permissions found

Pinned-Dependencies

Info: Possibly incomplete results: error parsing shell code: $ cannot be followed by a word: scripts/bench-run.sh:0

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark-workflow.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/benchmark-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/debug.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/debug.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-create-vue-workflow.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-create-vue-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-docusaurus-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-docusaurus-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-esbuild-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-esbuild-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-eslint-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-eslint-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-fsevents-workflow.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-fsevents-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-gatsby-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-gatsby-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-gulp-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-gulp-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-husky-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-husky-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-jest-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-jest-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-mocha-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-mocha-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-next-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-next-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nm-angular-workflow.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-nm-angular-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nm-babel-workflow.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-nm-babel-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nm-berry-workflow.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-nm-berry-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nyc-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-nyc-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-parcel-workflow.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-parcel-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-pnp-angular-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-pnp-angular-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-prettier-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-prettier-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-rollup-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-rollup-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-storybook-workflow.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-storybook-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-svelte-kit-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-svelte-kit-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-typescript-workflow.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-typescript-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-vite-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-vite-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-vitest-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-vitest-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-webpack-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/e2e-webpack-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:287: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:289: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:207: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:250: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:253: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-workflow.yml:257: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/integration-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/plugin-compat-workflow.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/plugin-compat-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-smart-merge.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/pr-smart-merge.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-smart-merge.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/pr-smart-merge.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-smart-merge.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/pr-smart-merge.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-smart-merge.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/pr-smart-merge.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-smart-merge.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/pr-smart-merge.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-branch.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/release-branch.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-branch.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/release-branch.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-candidate.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/release-candidate.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-candidate.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/release-candidate.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sherlock-workflow.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/sherlock-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sherlock-workflow.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/sherlock-workflow.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale-workflow.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/yarnpkg/berry/stale-workflow.yml/master?enable=pin

Warn: containerImage not pinned by hash: scripts/actions/local-yarn-command/Dockerfile:1: pin your Docker image by updating alpine:3.18 to alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f

Warn: containerImage not pinned by hash: scripts/actions/make-commit/Dockerfile:1: pin your Docker image by updating alpine:3.15 to alpine:3.15@sha256:19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864

Warn: npmCommand not pinned by hash: scripts/vscode-zip-test-procedure.sh:86

Warn: npmCommand not pinned by hash: .github/workflows/benchmark-workflow.yml:51

Warn: npmCommand not pinned by hash: .github/workflows/benchmark-workflow.yml:53

Warn: npmCommand not pinned by hash: .github/workflows/benchmark-workflow.yml:55

Info: 0 out of 51 GitHub-owned GitHubAction dependencies pinned

Info: 1 out of 1 third-party GitHubAction dependencies pinned

Info: 0 out of 2 containerImage dependencies pinned

Info: 0 out of 4 npmCommand dependencies pinned

Vulnerabilities

Warn: Project is vulnerable to: GHSA-7r3h-m5j6-3q42

Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38

Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc

Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw

Warn: Project is vulnerable to: GHSA-pp7h-53gx-mx7r

Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7

Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw

Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg

Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x

Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275

Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq

Warn: Project is vulnerable to: GHSA-gx9m-whjm-85jf

Warn: Project is vulnerable to: GHSA-mmhx-hmjr-r674

Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg

Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99

Warn: Project is vulnerable to: GHSA-f7f6-9jq7-3rqj

Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc

Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx

Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc

Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp

Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97

Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27

Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh

Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42

Warn: Project is vulnerable to: GHSA-m5qc-5hw7-8vg7

Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22

Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp

Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp

Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq

Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488

Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g

Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw

Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv

Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3

Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h

Warn: Project is vulnerable to: GHSA-fhjf-83wg-r2j9

Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55

Warn: Project is vulnerable to: GHSA-3j8f-xvm3-ffx4

Warn: Project is vulnerable to: GHSA-4p35-cfcx-8653

Warn: Project is vulnerable to: GHSA-7f3x-x4pr-wqhj

Warn: Project is vulnerable to: GHSA-jpp7-7chh-cf67

Warn: Project is vulnerable to: GHSA-q6wq-5p59-983w

Warn: Project is vulnerable to: GHSA-j9fq-vwqv-2fm2

Warn: Project is vulnerable to: GHSA-pqw5-jmp5-px4v

Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j

Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w

Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg

Warn: Project is vulnerable to: GHSA-6fw4-hr69-g3rv

Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm

Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw

Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg

Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p

Warn: Project is vulnerable to: GHSA-4g88-fppr-53pp

Warn: Project is vulnerable to: GHSA-4jqc-8m5r-9rpr

Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36

Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx

Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v

Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq

Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v

Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h

Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc