yarn@1.12.0 vulnerabilities

📦🐈 Fast, reliable, and secure dependency management.

Direct Vulnerabilities

Known vulnerabilities in the yarn package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Untrusted Search Path

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Untrusted Search Path. An attacker can execute arbitrary code by placing a malicious executable file in a directory that is then searched by the victim running certain commands.

Note: This is only exploitable on Windows.

How to fix Untrusted Search Path?

Upgrade yarn to version 1.22.13 or higher.

<1.22.13
  • C
Improper Integrity Checks

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Improper Integrity Checks. It allows to pollute yarn cache via a crafted yarn.lock file and place a malicious package into cache under any name/version, bypassing both integrity and hash checks in yarn.lock so that any future installs of that package will install the fake version (regardless of integrity and hashes).

How to fix Improper Integrity Checks?

Upgrade yarn to version 1.19 or higher.

<1.19
  • M
Arbitrary File Overwrite

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It is possible for a malicious package, upon install, to write to any path on the filesystem even when the --ignore-scripts option is set. This occurs due to symlinks not being correctly unpacked as part of the Yarn install process.

How to fix Arbitrary File Overwrite?

Upgrade yarn to version 1.22.0 or higher.

<1.22.0
  • L
Arbitrary File Write

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Arbitrary File Write. The package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted bin keys. Existing files could be overwritten depending on the current user permission set.

How to fix Arbitrary File Write?

Upgrade yarn to version 1.21.1 or higher.

<1.21.1
  • H
Man-in-the-Middle (MitM)

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). Npm credentials such as _authToken were found to be sent over clear text when processing scoped packages that are listed as resolved. This could allow a suitably positioned attacker to eavesdrop and compromise the sent credentials.

How to fix Man-in-the-Middle (MitM)?

Upgrade yarn to version 1.17.3 or higher.

<1.17.3