Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use npm instead to install yarn #714

Closed
wants to merge 1 commit into from
Closed

Conversation

alnorris
Copy link

@alnorris alnorris commented May 1, 2018

Seems a lot less verbose to just use npm to upgrade to yarn.

Seems a lot less verbose to just use npm to upgrade to yarn.
@SimenB
Copy link
Member

SimenB commented May 1, 2018

@Daniel15 thoughts on this?

@chorrell
Copy link
Contributor

chorrell commented May 1, 2018

They specifically recommend against it:

Installation of Yarn via npm is generally not recommended. When installing Yarn with Node-based package managers, the package is not signed, and the only integrity check performed is a basic SHA1 hash, which is a security risk when installing system-wide apps.

For these reasons, it is highly recommended that you install Yarn through the installation method best suited to your operating system.

Via https://yarnpkg.com/en/docs/install#alternatives-stable

The fact that it's not signed is a non-starter and it goes against the guidelines we follow: https://github.com/docker-library/official-images#security

@Daniel15
Copy link

Daniel15 commented May 2, 2018

I agree that this should not be recommended, particularly in a "best practices" document. This also assumes you have npm installed, which might not always be the case - maybe one day you'll have a Docker image where you only have Node.js and Yarn, without npm. Yarn doesn't actually require npm to be installed.

@SimenB
Copy link
Member

SimenB commented May 2, 2018

Yarn doesn't actually require npm to be installed.

Yarn requires node-gyp from npm, though

@SimenB
Copy link
Member

SimenB commented May 2, 2018

But I think we'll close this. A better upgrade story is hopefully incoming, see #524.

Thanks for the PR!

@SimenB SimenB closed this May 2, 2018
@Daniel15
Copy link

Daniel15 commented May 3, 2018

Yarn requires node-gyp from npm, though

Only if:

  1. You use packages with native components that aren't available in a precompiled version (node-pre-gyp)
  2. The package does not explicitly have a dependency on node-gyp

Ideally packages that use node-gyp should have a dependency on it, and many already do (see https://www.npmjs.com/browse/depended/node-gyp). This avoids the reliance on a global node-gyp installation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants