Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: update corepack to 0.17.0 #46842

Merged
merged 1 commit into from
Feb 26, 2023
Merged

Conversation

nodejs-github-bot
Copy link
Collaborator

This is an automated update of corepack to 0.17.0.

@nodejs-github-bot nodejs-github-bot added dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. labels Feb 26, 2023
@aduh95 aduh95 added fast-track PRs that do not need to wait for 48 hours to land. author ready PRs that have at least one approval, no pending requests for changes, and a CI started. labels Feb 26, 2023
@github-actions
Copy link
Contributor

Fast-track has been requested by @aduh95. Please 👍 to approve.

@aduh95 aduh95 added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 26, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 26, 2023
@nodejs-github-bot
Copy link
Collaborator Author

@nodejs-github-bot
Copy link
Collaborator Author

@aduh95 aduh95 added the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 26, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 26, 2023
@nodejs-github-bot nodejs-github-bot merged commit d896da0 into main Feb 26, 2023
@nodejs-github-bot nodejs-github-bot deleted the actions/tools-update-corepack branch February 26, 2023 14:58
@nodejs-github-bot
Copy link
Collaborator Author

Landed in d896da0

aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 26, 2023
PR-URL: nodejs#46842
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 26, 2023
PR-URL: nodejs#46842
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
targos pushed a commit that referenced this pull request Mar 13, 2023
PR-URL: #46842
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
targos pushed a commit that referenced this pull request Mar 14, 2023
PR-URL: #46842
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 23, 2023
PR-URL: #46842
Backport-PR-URL: #45644
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
BethGriggs added a commit that referenced this pull request Mar 27, 2023
Notable changes:

- deps:
  - update undici to 5.20.0 (Node.js GitHub Bot)
    #46711
  - update c-ares to 1.19.0 (Michaël Zasso)
    #46415
  - upgrade npm to 8.19.4 (npm team)
    #46677
  - update corepack to 0.17.0 (Node.js GitHub Bot)
    #46842
- (SEMVER-MINOR) src: add support for externally shared js builtins
  (Michael Dawson) [#44376]

PR-URL: TODO
@BethGriggs BethGriggs mentioned this pull request Mar 27, 2023
BethGriggs added a commit that referenced this pull request Mar 27, 2023
Notable changes:

- deps:
  - update undici to 5.20.0 (Node.js GitHub Bot)
    #46711
  - update c-ares to 1.19.0 (Michaël Zasso)
    #46415
  - upgrade npm to 8.19.4 (npm team)
    #46677
  - update corepack to 0.17.0 (Node.js GitHub Bot)
    #46842
- (SEMVER-MINOR) src: add support for externally shared js builtins
  (Michael Dawson) [#44376]

PR-URL: #47272
BethGriggs added a commit that referenced this pull request Mar 29, 2023
Notable changes:

- deps:
  - update undici to 5.20.0 (Node.js GitHub Bot)
    #46711
  - update c-ares to 1.19.0 (Michaël Zasso)
    #46415
  - upgrade npm to 8.19.4 (npm team)
    #46677
  - update corepack to 0.17.0 (Node.js GitHub Bot)
    #46842
- (SEMVER-MINOR) src: add support for externally shared js builtins
  (Michael Dawson) [#44376]

PR-URL: #47272
mwalbeck pushed a commit to mwalbeck/docker-cyberchef that referenced this pull request Apr 4, 2023
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [node](https://github.com/nodejs/node) | stage | minor | `16.19.1-bullseye` -> `16.20.0-bullseye` |

---

### Release Notes

<details>
<summary>nodejs/node</summary>

### [`v16.20.0`](https://github.com/nodejs/node/releases/tag/v16.20.0): 2023-03-29, Version 16.20.0 &#x27;Gallium&#x27; (LTS), @&#8203;BethGriggs

[Compare Source](nodejs/node@v16.19.1...v16.20.0)

##### Notable Changes

-   **deps:**
    -   update undici to 5.20.0 (Node.js GitHub Bot) [#&#8203;46711](nodejs/node#46711)
    -   update c-ares to 1.19.0 (Michaël Zasso) [#&#8203;46415](nodejs/node#46415)
    -   upgrade npm to 8.19.4 (npm team) [#&#8203;46677](nodejs/node#46677)
    -   update corepack to 0.17.0 (Node.js GitHub Bot) [#&#8203;46842](nodejs/node#46842)
-   **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#&#8203;44376](nodejs/node#44376)

##### Commits

-   \[[`de6dd67790`](nodejs/node@de6dd67790)] - **crypto**: avoid hang when no algorithm available (Richard Lau) [#&#8203;46237](nodejs/node#46237)
-   \[[`4617512788`](nodejs/node@4617512788)] - **crypto**: ensure auth tag set for chacha20-poly1305 (Ben Noordhuis) [#&#8203;46185](nodejs/node#46185)
-   \[[`24972164fc`](nodejs/node@24972164fc)] - **deps**: update undici to 5.20.0 (Node.js GitHub Bot) [#&#8203;46711](nodejs/node#46711)
-   \[[`85f88c6a8d`](nodejs/node@85f88c6a8d)] - **deps**: V8: cherry-pick [`90be99f`](nodejs/node@90be99fab31c) (Michaël Zasso) [#&#8203;46646](nodejs/node#46646)
-   \[[`b4ebe6d47b`](nodejs/node@b4ebe6d47b)] - **deps**: update c-ares to 1.19.0 (Michaël Zasso) [#&#8203;46415](nodejs/node#46415)
-   \[[`56cbc7fdda`](nodejs/node@56cbc7fdda)] - **deps**: V8: cherry-pick [`c2792e5`](nodejs/node@c2792e58035f) (Jiawen Geng) [#&#8203;44961](nodejs/node#44961)
-   \[[`7af9bdb31e`](nodejs/node@7af9bdb31e)] - **deps**: upgrade npm to 8.19.4 (npm team) [#&#8203;46677](nodejs/node#46677)
-   \[[`962a7471b5`](nodejs/node@962a7471b5)] - **deps**: update corepack to 0.17.0 (Node.js GitHub Bot) [#&#8203;46842](nodejs/node#46842)
-   \[[`748bc96e35`](nodejs/node@748bc96e35)] - **deps**: update corepack to 0.16.0 (Node.js GitHub Bot) [#&#8203;46710](nodejs/node#46710)
-   \[[`a467782499`](nodejs/node@a467782499)] - **deps**: update corepack to 0.15.3 (Node.js GitHub Bot) [#&#8203;46037](nodejs/node#46037)
-   \[[`1913b6763d`](nodejs/node@1913b6763d)] - **deps**: update corepack to 0.15.2 (Node.js GitHub Bot) [#&#8203;45635](nodejs/node#45635)
-   \[[`809371a15f`](nodejs/node@809371a15f)] - **module**: require.resolve.paths returns null with node schema (MURAKAMI Masahiko) [#&#8203;45147](nodejs/node#45147)
-   \[[`086bb2f8d4`](nodejs/node@086bb2f8d4)] - ***Revert*** "**src**: let http2 streams end after session close" (Rich Trott) [#&#8203;46721](nodejs/node#46721)
-   \[[`6a01d39120`](nodejs/node@6a01d39120)] - **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#&#8203;44376](nodejs/node#44376)
-   \[[`d081032a60`](nodejs/node@d081032a60)] - **test**: fix test-net-connect-reset-until-connected (Vita Batrla) [#&#8203;46781](nodejs/node#46781)
-   \[[`efe1be47ec`](nodejs/node@efe1be47ec)] - **test**: skip test depending on `overlapped-checker` when not available (Antoine du Hamel) [#&#8203;45015](nodejs/node#45015)
-   \[[`fc47d58abe`](nodejs/node@fc47d58abe)] - **test**: remove cjs loader from stack traces (Geoffrey Booth) [#&#8203;44197](nodejs/node#44197)
-   \[[`cf76d0790d`](nodejs/node@cf76d0790d)] - **test**: fix WPT title when no META title is present (Filip Skokan) [#&#8203;46804](nodejs/node#46804)
-   \[[`0d1485b924`](nodejs/node@0d1485b924)] - **test**: fix default WPT titles (Filip Skokan) [#&#8203;46778](nodejs/node#46778)
-   \[[`088e9cde3d`](nodejs/node@088e9cde3d)] - **test**: add WPTRunner support for variants and generating WPT reports (Filip Skokan) [#&#8203;46498](nodejs/node#46498)
-   \[[`908c4dff44`](nodejs/node@908c4dff44)] - **test**: mark test-crypto-key-objects flaky on Linux (Richard Lau) [#&#8203;46684](nodejs/node#46684)
-   \[[`768e56227e`](nodejs/node@768e56227e)] - **tools**: make `utils.SearchFiles` deterministic (Bruno Pitrus) [#&#8203;44496](nodejs/node#44496)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4yMy4zIiwidXBkYXRlZEluVmVyIjoiMzUuMjMuMyJ9-->

Reviewed-on: https://git.walbeck.it/mwalbeck/docker-cyberchef/pulls/187
Co-authored-by: renovate-bot <[email protected]>
Co-committed-by: renovate-bot <[email protected]>
mwalbeck pushed a commit to mwalbeck/docker-jellyfin-livestream that referenced this pull request Apr 4, 2023
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [node](https://github.com/nodejs/node) | stage | minor | `16.19.1-bullseye-slim` -> `16.20.0-bullseye-slim` |

---

### Release Notes

<details>
<summary>nodejs/node</summary>

### [`v16.20.0`](https://github.com/nodejs/node/releases/tag/v16.20.0): 2023-03-29, Version 16.20.0 &#x27;Gallium&#x27; (LTS), @&#8203;BethGriggs

[Compare Source](nodejs/node@v16.19.1...v16.20.0)

##### Notable Changes

-   **deps:**
    -   update undici to 5.20.0 (Node.js GitHub Bot) [#&#8203;46711](nodejs/node#46711)
    -   update c-ares to 1.19.0 (Michaël Zasso) [#&#8203;46415](nodejs/node#46415)
    -   upgrade npm to 8.19.4 (npm team) [#&#8203;46677](nodejs/node#46677)
    -   update corepack to 0.17.0 (Node.js GitHub Bot) [#&#8203;46842](nodejs/node#46842)
-   **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#&#8203;44376](nodejs/node#44376)

##### Commits

-   \[[`de6dd67790`](nodejs/node@de6dd67790)] - **crypto**: avoid hang when no algorithm available (Richard Lau) [#&#8203;46237](nodejs/node#46237)
-   \[[`4617512788`](nodejs/node@4617512788)] - **crypto**: ensure auth tag set for chacha20-poly1305 (Ben Noordhuis) [#&#8203;46185](nodejs/node#46185)
-   \[[`24972164fc`](nodejs/node@24972164fc)] - **deps**: update undici to 5.20.0 (Node.js GitHub Bot) [#&#8203;46711](nodejs/node#46711)
-   \[[`85f88c6a8d`](nodejs/node@85f88c6a8d)] - **deps**: V8: cherry-pick [`90be99f`](nodejs/node@90be99fab31c) (Michaël Zasso) [#&#8203;46646](nodejs/node#46646)
-   \[[`b4ebe6d47b`](nodejs/node@b4ebe6d47b)] - **deps**: update c-ares to 1.19.0 (Michaël Zasso) [#&#8203;46415](nodejs/node#46415)
-   \[[`56cbc7fdda`](nodejs/node@56cbc7fdda)] - **deps**: V8: cherry-pick [`c2792e5`](nodejs/node@c2792e58035f) (Jiawen Geng) [#&#8203;44961](nodejs/node#44961)
-   \[[`7af9bdb31e`](nodejs/node@7af9bdb31e)] - **deps**: upgrade npm to 8.19.4 (npm team) [#&#8203;46677](nodejs/node#46677)
-   \[[`962a7471b5`](nodejs/node@962a7471b5)] - **deps**: update corepack to 0.17.0 (Node.js GitHub Bot) [#&#8203;46842](nodejs/node#46842)
-   \[[`748bc96e35`](nodejs/node@748bc96e35)] - **deps**: update corepack to 0.16.0 (Node.js GitHub Bot) [#&#8203;46710](nodejs/node#46710)
-   \[[`a467782499`](nodejs/node@a467782499)] - **deps**: update corepack to 0.15.3 (Node.js GitHub Bot) [#&#8203;46037](nodejs/node#46037)
-   \[[`1913b6763d`](nodejs/node@1913b6763d)] - **deps**: update corepack to 0.15.2 (Node.js GitHub Bot) [#&#8203;45635](nodejs/node#45635)
-   \[[`809371a15f`](nodejs/node@809371a15f)] - **module**: require.resolve.paths returns null with node schema (MURAKAMI Masahiko) [#&#8203;45147](nodejs/node#45147)
-   \[[`086bb2f8d4`](nodejs/node@086bb2f8d4)] - ***Revert*** "**src**: let http2 streams end after session close" (Rich Trott) [#&#8203;46721](nodejs/node#46721)
-   \[[`6a01d39120`](nodejs/node@6a01d39120)] - **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#&#8203;44376](nodejs/node#44376)
-   \[[`d081032a60`](nodejs/node@d081032a60)] - **test**: fix test-net-connect-reset-until-connected (Vita Batrla) [#&#8203;46781](nodejs/node#46781)
-   \[[`efe1be47ec`](nodejs/node@efe1be47ec)] - **test**: skip test depending on `overlapped-checker` when not available (Antoine du Hamel) [#&#8203;45015](nodejs/node#45015)
-   \[[`fc47d58abe`](nodejs/node@fc47d58abe)] - **test**: remove cjs loader from stack traces (Geoffrey Booth) [#&#8203;44197](nodejs/node#44197)
-   \[[`cf76d0790d`](nodejs/node@cf76d0790d)] - **test**: fix WPT title when no META title is present (Filip Skokan) [#&#8203;46804](nodejs/node#46804)
-   \[[`0d1485b924`](nodejs/node@0d1485b924)] - **test**: fix default WPT titles (Filip Skokan) [#&#8203;46778](nodejs/node#46778)
-   \[[`088e9cde3d`](nodejs/node@088e9cde3d)] - **test**: add WPTRunner support for variants and generating WPT reports (Filip Skokan) [#&#8203;46498](nodejs/node#46498)
-   \[[`908c4dff44`](nodejs/node@908c4dff44)] - **test**: mark test-crypto-key-objects flaky on Linux (Richard Lau) [#&#8203;46684](nodejs/node#46684)
-   \[[`768e56227e`](nodejs/node@768e56227e)] - **tools**: make `utils.SearchFiles` deterministic (Bruno Pitrus) [#&#8203;44496](nodejs/node#44496)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4yMy4zIiwidXBkYXRlZEluVmVyIjoiMzUuMjMuMyJ9-->

Reviewed-on: https://git.walbeck.it/mwalbeck/docker-jellyfin-livestream/pulls/243
Co-authored-by: renovate-bot <[email protected]>
Co-committed-by: renovate-bot <[email protected]>
danielleadams pushed a commit that referenced this pull request Apr 11, 2023
PR-URL: #46842
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
kalrish added a commit to kalrish/AWS-organization-bootstrap that referenced this pull request Jun 27, 2023
[Version 16.20.0 of Node.js][Node.js changelog 16.20.0], released on
2023-03-29, ships with version 0.17.0 of [Corepack][Node.js 16
Corepack]; see the corresponding [pull request][GitHub repository
nodejs/node PR 46842].

3.6.0 is the latest version of Yarn at this time.

As stated in the [README][Node.js Corepack 0.17.0 README], a checksum
should be specified:

> The hash is optional but strongly recommended as a security practice.

Version 0.17.0 of [Corepack][Node.js 16 Corepack] uses the function
`createHash` of the [Node.js module `node:crypto`][Node.js 16
node:crypto]; see
https://github.com/nodejs/corepack/blob/v0.17.0/sources/corepackUtils.ts#L138-L140.
The hash/hashing algorithms that function supports "[…] is dependent on
the available algorithms supported by the version of OpenSSL on the
platform". I chose [SHA-512][SHA-2] because it strikes the best balance
between safety/security and availability, as far as I know.

[GitHub repository nodejs/corepack issue 231][]

```Shell
curl -- https://repo.yarnpkg.com/3.6.0/packages/yarnpkg-cli/bin/yarn.js | sha512sum
```
```
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2175k    0 2175k    0     0  3902k      0 --:--:-- --:--:-- --:--:-- 3899k
418e45c2268c4d6b69a28f3939084b5853d5f392c43c0b5588bd1995a96e328414ae4b7777a8980c64bad4328c52586ff879b289f98ae65372a55fa4d0ff70dd  -
```

after setting `packageManager` in `package.json` with that checksum:

```Shell
corepack yarn --version
```
```
3.6.0
```

There's no difference between calling `corepack yarn` and calling the
`yarn` shim installed by `corepack enable`; both are the same:

```JavaScript
require('./corepack').runMain(['yarn', ...process.argv.slice(2)]);
```

the .js file is not committed and `yarnPath` is not set:

yarnpkg/berry#4063 (comment)

> Updating the binary in the repo, is temporary, until Corepack gets
> available in all LTS releases. I think for Yarn 4 we'll consider only
> updating the package.json.

indeed,
https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md#major-changes

> `yarn set version` will now skip generating the `yarnPath`
> configuration on new projects if it detects you're using
> [Corepack][Node.js Corepack]

[GitHub repository nodejs/corepack issue 231]: nodejs/corepack#231
[GitHub repository nodejs/node PR 46842]: nodejs/node#46842
[GitHub repository yarnpkg/berry issue 4063]: yarnpkg/berry#4063
[Node.js changelog 16.20.0]: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.20.0
[Node.js Corepack]: https://nodejs.org/api/corepack.html
[Node.js Corepack 0.17.0 README]: https://github.com/nodejs/corepack/blob/v0.17.0/README.md
[Node.js 16 Corepack]: https://nodejs.org/docs/latest-v16.x/api/corepack.html
[Node.js 16 node:crypto]: https://nodejs.org/docs/latest-v16.x/api/crypto.html
[SHA-2]: https://en.wikipedia.org/wiki/SHA-2
kalrish added a commit to kalrish/AWS-organization-bootstrap that referenced this pull request Jun 28, 2023
[Version 16.20.0 of Node.js][Node.js changelog 16.20.0], released on
2023-03-29, ships with version 0.17.0 of [Corepack][Node.js 16
Corepack]; see the corresponding [pull request][GitHub repository
nodejs/node PR 46842].

3.6.0 is the latest version of Yarn at this time.

As stated in the [README][Node.js Corepack 0.17.0 README], a checksum
should be specified:

> The hash is optional but strongly recommended as a security practice.

Version 0.17.0 of [Corepack][Node.js 16 Corepack] uses the function
`createHash` of the [Node.js module `node:crypto`][Node.js 16
node:crypto]; see
https://github.com/nodejs/corepack/blob/v0.17.0/sources/corepackUtils.ts#L138-L140.
The hash/hashing algorithms that function supports "[…] is dependent on
the available algorithms supported by the version of OpenSSL on the
platform". I chose [SHA-512][SHA-2] because it strikes the best balance
between safety/security and availability, as far as I know.

[GitHub repository nodejs/corepack issue 231][]

```Shell
curl -- https://repo.yarnpkg.com/3.6.0/packages/yarnpkg-cli/bin/yarn.js | sha512sum
```
```
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2175k    0 2175k    0     0  3902k      0 --:--:-- --:--:-- --:--:-- 3899k
418e45c2268c4d6b69a28f3939084b5853d5f392c43c0b5588bd1995a96e328414ae4b7777a8980c64bad4328c52586ff879b289f98ae65372a55fa4d0ff70dd  -
```

after setting `packageManager` in `package.json` with that checksum:

```Shell
corepack yarn --version
```
```
3.6.0
```

There's no difference between calling `corepack yarn` and calling the
`yarn` shim installed by `corepack enable`; both are the same:

```JavaScript
require('./corepack').runMain(['yarn', ...process.argv.slice(2)]);
```

the .js file is not committed and `yarnPath` is not set:

yarnpkg/berry#4063 (comment)

> Updating the binary in the repo, is temporary, until Corepack gets
> available in all LTS releases. I think for Yarn 4 we'll consider only
> updating the package.json.

indeed,
https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md#major-changes

> `yarn set version` will now skip generating the `yarnPath`
> configuration on new projects if it detects you're using
> [Corepack][Node.js Corepack]

[GitHub repository nodejs/corepack issue 231]: nodejs/corepack#231
[GitHub repository nodejs/node PR 46842]: nodejs/node#46842
[GitHub repository yarnpkg/berry issue 4063]: yarnpkg/berry#4063
[Node.js changelog 16.20.0]: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.20.0
[Node.js Corepack]: https://nodejs.org/api/corepack.html
[Node.js Corepack 0.17.0 README]: https://github.com/nodejs/corepack/blob/v0.17.0/README.md
[Node.js 16 Corepack]: https://nodejs.org/docs/latest-v16.x/api/corepack.html
[Node.js 16 node:crypto]: https://nodejs.org/docs/latest-v16.x/api/crypto.html
[SHA-2]: https://en.wikipedia.org/wiki/SHA-2
kalrish added a commit to kalrish/AWS-organization-bootstrap that referenced this pull request Jun 28, 2023
[Version 16.20.0 of Node.js][Node.js changelog 16.20.0], released on
2023-03-29, ships with version 0.17.0 of [Corepack][Node.js 16
Corepack]; see the corresponding [pull request][GitHub repository
nodejs/node PR 46842].

3.6.0 is the latest version of Yarn at this time.

As stated in the [README][Node.js Corepack 0.17.0 README], a checksum
should be specified:

> The hash is optional but strongly recommended as a security practice.

Version 0.17.0 of [Corepack][Node.js 16 Corepack] uses the function
`createHash` of the [Node.js module `node:crypto`][Node.js 16
node:crypto]; see
https://github.com/nodejs/corepack/blob/v0.17.0/sources/corepackUtils.ts#L138-L140.
The hash/hashing algorithms that function supports "[…] is dependent on
the available algorithms supported by the version of OpenSSL on the
platform". I chose [SHA-512][SHA-2] because it strikes the best balance
between safety/security and availability, as far as I know.

[GitHub repository nodejs/corepack issue 231][]

```Shell
curl -- https://repo.yarnpkg.com/3.6.0/packages/yarnpkg-cli/bin/yarn.js | sha512sum
```
```
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2175k    0 2175k    0     0  3902k      0 --:--:-- --:--:-- --:--:-- 3899k
418e45c2268c4d6b69a28f3939084b5853d5f392c43c0b5588bd1995a96e328414ae4b7777a8980c64bad4328c52586ff879b289f98ae65372a55fa4d0ff70dd  -
```

after setting `packageManager` in `package.json` with that checksum:

```Shell
corepack yarn --version
```
```
3.6.0
```

There's no difference between calling `corepack yarn` and calling the
`yarn` shim installed by `corepack enable`; both are the same:

```JavaScript
require('./corepack').runMain(['yarn', ...process.argv.slice(2)]);
```

the .js file is not committed and `yarnPath` is not set:

yarnpkg/berry#4063 (comment)

> Updating the binary in the repo, is temporary, until Corepack gets
> available in all LTS releases. I think for Yarn 4 we'll consider only
> updating the package.json.

indeed,
https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md#major-changes

> `yarn set version` will now skip generating the `yarnPath`
> configuration on new projects if it detects you're using
> [Corepack][Node.js Corepack]

[GitHub repository nodejs/corepack issue 231]: nodejs/corepack#231
[GitHub repository nodejs/node PR 46842]: nodejs/node#46842
[GitHub repository yarnpkg/berry issue 4063]: yarnpkg/berry#4063
[Node.js changelog 16.20.0]: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.20.0
[Node.js Corepack]: https://nodejs.org/api/corepack.html
[Node.js Corepack 0.17.0 README]: https://github.com/nodejs/corepack/blob/v0.17.0/README.md
[Node.js 16 Corepack]: https://nodejs.org/docs/latest-v16.x/api/corepack.html
[Node.js 16 node:crypto]: https://nodejs.org/docs/latest-v16.x/api/crypto.html
[SHA-2]: https://en.wikipedia.org/wiki/SHA-2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. dependencies Pull requests that update a dependency file. fast-track PRs that do not need to wait for 48 hours to land. needs-ci PRs that need a full CI run.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants