Skip to content

build: update to yarn v4#48243

Merged
jkleinsc merged 104 commits intomainfrom
sam/yarn-v4
Nov 17, 2025
Merged

build: update to yarn v4#48243
jkleinsc merged 104 commits intomainfrom
sam/yarn-v4

Conversation

@MarshallOfSound
Copy link
Copy Markdown
Member

@MarshallOfSound MarshallOfSound commented Sep 2, 2025

As in title, updates to yarn v4, switches us to a single lockfile and workspaces instead of multiple lockfiles (better for tooling to keep track of). Should be a no-op for all maintainers, yarn will figure it out

Notes: none

@socket-security
Copy link
Copy Markdown

socket-security bot commented Sep 2, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Low adoption: npm @dbus-types/dbus

Location: Package overview

From: ?npm/@dbus-types/dbus@0.0.4

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dbus-types/dbus@0.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm are-we-there-yet

Reason: This package is no longer supported.

From: ?npm/are-we-there-yet@2.0.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/are-we-there-yet@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm dbus-ts

Location: Package overview

From: ?npm/dbus-ts@0.0.7

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/dbus-ts@0.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm gauge

Reason: This package is no longer supported.

From: ?npm/gauge@3.0.2

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/gauge@3.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm lodash.get

Reason: This package is deprecated. Use the optional chaining (?.) operator instead.

From: ?npm/lodash.get@4.4.2

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash.get@4.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm npmlog

Reason: This package is no longer supported.

From: ?npm/npmlog@5.0.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npmlog@5.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm q

Reason: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.

(For a CapTP with native promises, see @endo/eventual-send and @endo/captp)

From: ?npm/q@1.5.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/q@1.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm sinon with reason "16.1.1"

Reason: 16.1.1

From: ?npm/sinon@9.2.4

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sinon@9.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm uuid

Reason: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.

From: ?npm/uuid@3.4.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/uuid@3.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

  • safer-buffer@2.1.2

View full report

@MarshallOfSound MarshallOfSound requested review from a team as code owners September 2, 2025 16:48
@MarshallOfSound MarshallOfSound mentioned this pull request Sep 3, 2025
Merged
1 task
@MarshallOfSound MarshallOfSound requested a review from a team as a code owner October 19, 2025 06:30
@jkleinsc jkleinsc force-pushed the sam/yarn-v4 branch 2 times, most recently from 265d79a to dd12f89 Compare October 31, 2025 16:32
@jkleinsc
Copy link
Copy Markdown
Member

jkleinsc commented Nov 3, 2025

@SocketSecurity ignore npm/safer-buffer@2.1.2

@jkleinsc jkleinsc force-pushed the sam/yarn-v4 branch 3 times, most recently from 40ddd5b to 2cfd603 Compare November 7, 2025 22:13
@socket-security
Copy link
Copy Markdown

socket-security bot commented Nov 11, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​uuid@​9.0.81001006981100
Added@​types/​send@​1.2.01001007288100
Added@​types/​chai@​5.2.31001007787100
Addeduuid@​9.0.110010010085100
Addedsend@​0.19.09910010085100
Addedws@​7.5.109910010086100
Addedyargs@​16.2.09810010087100
Addednan@​2.23.010010010089100
Addednode-gyp@​11.5.09910010095100
Added@​datadog/​datadog-ci@​4.1.29910010096100
Addedspec%2Ffixtures%2Fnative-addon%2Fecho@​0.0.0-use.local100100100100100
Addedspec%2Ffixtures%2Fnative-addon%2Fexternal-ab@​0.0.0-use.local100100100100100
Addedspec%2Ffixtures%2Fnative-addon%2Fis-valid-window@​0.0.0-use.local100100100100100
Addedspec%2Ffixtures%2Fnative-addon%2Fosr-gpu@​0.0.0-use.local100100100100100
Addedspec%2Ffixtures%2Fnative-addon%2Fuv-dlopen@​0.0.0-use.local100100100100100

View full report

@jkleinsc jkleinsc mentioned this pull request Nov 17, 2025
Merged
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Nov 17, 2025

@jkleinsc has manually backported this PR to "39-x-y", please check out #48994

@jkleinsc jkleinsc mentioned this pull request Nov 17, 2025
Merged
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Nov 17, 2025

@jkleinsc has manually backported this PR to "38-x-y", please check out #48995

@jkleinsc jkleinsc mentioned this pull request Nov 17, 2025
Merged
@trop
Copy link
Copy Markdown
Contributor

trop bot commented Nov 17, 2025

@jkleinsc has manually backported this PR to "37-x-y", please check out #48996

@trop trop bot added in-flight/37-x-y merged/40-x-y PR was merged to the "40-x-y" branch. and removed needs-manual-bp/37-x-y in-flight/40-x-y labels Nov 17, 2025
@jkleinsc jkleinsc mentioned this pull request Nov 19, 2025
Merged
3 tasks
@trop trop bot added merged/39-x-y PR was merged to the "39-x-y" branch. merged/38-x-y PR was merged to the "38-x-y" branch. merged/37-x-y PR was merged to the "37-x-y" branch. and removed in-flight/39-x-y in-flight/38-x-y in-flight/37-x-y labels Nov 19, 2025
@jkleinsc jkleinsc mentioned this pull request Nov 21, 2025
Merged
3 tasks
@panther7 panther7 mentioned this pull request Dec 9, 2025
Closed
@TomaSajt TomaSajt mentioned this pull request Jan 20, 2026
Merged
13 tasks
MarshallOfSound added a commit that referenced this pull request Mar 31, 2026
@MarshallOfSound
build: replace npx with lockfile-pinned binaries
982f87d 
- nan-spec-runner: reorder yarn install first, invoke nan node-gyp bin directly
- publish-to-npm: use host npm with E404 try/catch (closes existing TODO)
- upload-symbols: add @sentry/cli devDep, invoke from node_modules/.bin
- remove script/lib/npx.py (dead since #48243)
@MarshallOfSound MarshallOfSound mentioned this pull request Mar 31, 2026
Merged
MarshallOfSound added a commit that referenced this pull request Mar 31, 2026
@MarshallOfSound
build: replace npx with lockfile-pinned binaries (#50598)
a8acb96 
* build: replace npx with lockfile-pinned binaries

- nan-spec-runner: reorder yarn install first, invoke nan node-gyp bin directly
- publish-to-npm: use host npm with E404 try/catch (closes existing TODO)
- upload-symbols: add @sentry/cli devDep, invoke from node_modules/.bin
- remove script/lib/npx.py (dead since #48243)

* build: bump @sentry/cli to 1.70.0 for arm support

* build: bump @sentry/cli to 1.72.0, skip CDN download on test jobs

@sentry/cli fetches its platform binary from Sentry CDN at postinstall.
Only upload-symbols.py (release pipeline) needs the binary; set
SENTRYCLI_SKIP_DOWNLOAD=1 in the two test-segment workflows that
call install-dependencies. The 64k variant uses pre-built artifacts
and does not install deps.
@MarshallOfSound MarshallOfSound mentioned this pull request Apr 1, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkleinsc jkleinsc jkleinsc left review comments

@VerteDinde VerteDinde VerteDinde approved these changes

Assignees

No one assigned

Labels

merged/37-x-y PR was merged to the "37-x-y" branch. merged/38-x-y PR was merged to the "38-x-y" branch. merged/39-x-y PR was merged to the "39-x-y" branch. merged/40-x-y PR was merged to the "40-x-y" branch. semver/none

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MarshallOfSound @jkleinsc @VerteDinde