0

Does the yarn package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them?

I see a lot of guides providing installation instructions with steps asking the user to install Node.js dependencies with yarn add .... I usually don't do this as I trust my OS package manager (ie apt) to actually validate the origin/trust and integrity of the package before installing it.

Does yarn provide cryptographic authentication and integrity checks for all items downloaded before installing them by default?

Note: Transport validation via X.509 does not count as a valid auth/integrity check.

Michael Altfield
  • 826
  • 4
  • 19
  • Yarn's documentation on the release process includes a step for gpg signing the tarball before publishing it https://classic.yarnpkg.com/en/org/release-process/#toc-creating-a-new-release – Michael Altfield Jan 12 '21 at 15:32
  • 1
    See [this github issue](https://github.com/yarnpkg/yarn/issues/1169) for related discussion. – gowenfawr Jan 12 '21 at 16:48

0 Answers0