tessl/npm-yarn

Fast, reliable, and secure dependency management tool for JavaScript/Node.js projects

Overview

Eval results

Files

Utility Commands

Name: tessl/npm-yarn
Author: tessl

Additional utility commands for package integrity, security, maintenance, and project information.

Capabilities

Package Integrity

Verify the integrity of installed packages and dependency tree.

yarn check [options]

# Options:
--integrity              # Verify package integrity against checksums
--verify-tree           # Verify dependency tree structure
--json                  # Output results in JSON format

Usage Examples:

# Basic integrity check
yarn check

# Check package integrity only
yarn check --integrity

# Verify dependency tree
yarn check --verify-tree

# Get JSON output for automation
yarn check --json

# Check specific aspects
yarn check --integrity --verify-tree

Check Process:

Integrity Check: Verifies checksums against yarn.lock
Tree Verification: Ensures installed packages match dependency requirements
License Check: Validates license compatibility (if configured)
Report Issues: Lists any inconsistencies or problems

Security Audit

Run security audit to identify known vulnerabilities.

yarn audit [options]

# Options:
--level <severity>       # Minimum severity level (low, moderate, high, critical)
--json                  # Output in JSON format
--groups <groups>       # Audit specific dependency groups

Usage Examples:

# Run security audit
yarn audit

# Audit with minimum severity level
yarn audit --level moderate
yarn audit --level high
yarn audit --level critical

# Audit specific dependency groups
yarn audit --groups dependencies
yarn audit --groups devDependencies

# Get JSON output
yarn audit --json

# Audit production dependencies only
yarn audit --groups dependencies --level high

Audit Output:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Severity      │ Package                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ High          │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <1.2.2                                                       │
│ versions      │                                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.2                                                      │
└───────────────┴──────────────────────────────────────────────────────────────┘

Create Package Tarball

Create a compressed tarball of the package for distribution.

yarn pack [options]

# Options:
--filename <name>        # Specify output filename
--json                  # Output metadata in JSON format

Usage Examples:

# Create tarball with default name
yarn pack

# Specify custom filename
yarn pack --filename my-package-v1.0.0.tgz

# Get JSON metadata
yarn pack --json

# Pack specific version
yarn version --new-version 1.2.3
yarn pack

Pack Process:

Runs prepack script (if defined)
Creates tarball with files specified in package.json#files
Excludes files in .npmignore or .gitignore
Runs postpack script (if defined)
Outputs tarball filename and size

Import Dependencies

Import dependencies from other package managers' lockfiles.

yarn import

Usage Examples:

# Import from package-lock.json
yarn import

# Workflow: npm to yarn migration
npm install              # Generates package-lock.json
yarn import             # Converts to yarn.lock
rm package-lock.json    # Clean up npm lockfile

Import Process:

Reads package-lock.json (npm) or composer.lock (Composer)
Converts dependency information to yarn.lock format
Preserves exact versions and resolved URLs
Maintains dependency tree structure

Generate Lockfile Entry

Generate a lockfile entry for a specific package.

yarn generate-lock-entry [options]

# Options:
--use-manifest <path>    # Use specific package.json
--resolved <url>         # Use specific resolved URL

Usage Examples:

# Generate entry for package in current directory
yarn generate-lock-entry

# Generate entry with custom manifest
yarn generate-lock-entry --use-manifest /path/to/package.json

# Generate entry with specific resolved URL
yarn generate-lock-entry --resolved https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz

Clean Unnecessary Files

Automatically remove unnecessary files from node_modules to save space.

yarn autoclean [options]

# Options:
--init                  # Initialize autoclean (creates .yarnclean)
--force                 # Clean without confirmation

Usage Examples:

# Initialize autoclean
yarn autoclean --init

# Run autoclean
yarn autoclean

# Clean without confirmation
yarn autoclean --force

# Clean as part of install
yarn install && yarn autoclean

Autoclean Process:

Reads .yarnclean file for patterns
Removes matching files from node_modules
Reports space saved
Can be automated to run after install

Example .yarnclean:

# Remove documentation
*.md
LICENSE*
CHANGELOG*

# Remove test files
__tests__
test
tests
*.test.js
*.spec.js

# Remove source maps
*.map

# Remove TypeScript files
*.ts
!*.d.ts

Unplug Packages

Temporarily unplug Plug'n'Play packages for debugging purposes.

yarn unplug <package> [options]

# Options:
--clear                 # Delete the selected packages
--clear-all            # Delete all unplugged packages

Usage Examples:

# Unplug a package for debugging
yarn unplug react

# Unplug specific version
yarn unplug react@18.0.0

# Clear unplugged package
yarn unplug react --clear

# Clear all unplugged packages
yarn unplug --clear-all

Unplug Process:

Only works with Plug'n'Play enabled projects
Copies package from cache to unplugged directory
Allows direct file system access for debugging
Maintains package functionality while enabling inspection

Release Policies

Manage yarn version policies and automatic updates.

yarn policies set-version <version>

Usage Examples:

# Set specific yarn version for project
yarn policies set-version 1.22.22

# Set latest version
yarn policies set-version latest

# Set canary/beta version
yarn policies set-version canary
yarn policies set-version berry

Policy Management:

Downloads and installs specified yarn version locally
Creates .yarn/releases directory with yarn binary
Updates .yarnrc.yml to use local version
Ensures consistent yarn version across team

Help System

Display help information for yarn commands.

yarn help [command]

Usage Examples:

# General help
yarn help
yarn --help
yarn -h

# Help for specific command
yarn help install
yarn help add
yarn help workspace

# List all commands
yarn help --commands

Version Management

Show or update package version information.

yarn version [options]

# Options:
--new-version <version>  # Set specific version
--major                 # Increment major version
--minor                 # Increment minor version
--patch                 # Increment patch version
--premajor             # Increment to prerelease major
--preminor             # Increment to prerelease minor
--prepatch             # Increment to prerelease patch
--prerelease           # Increment prerelease version
--preid <identifier>    # Prerelease identifier (alpha, beta, rc)
--message <message>     # Custom commit message
--no-git-tag-version   # Don't create git tag
--no-commit-hooks      # Skip git commit hooks

Usage Examples:

# Show current version
yarn version

# Increment versions
yarn version --patch     # 1.0.0 -> 1.0.1
yarn version --minor     # 1.0.0 -> 1.1.0
yarn version --major     # 1.0.0 -> 2.0.0

# Set specific version
yarn version --new-version 2.1.0

# Prerelease versions
yarn version --prerelease              # 1.0.0 -> 1.0.1-0
yarn version --prerelease --preid beta # 1.0.0 -> 1.0.1-beta.0
yarn version --premajor --preid alpha  # 1.0.0 -> 2.0.0-alpha.0

# Version without git tag
yarn version --patch --no-git-tag-version

# Version with custom commit message
yarn version --patch --message "Fix critical bug in authentication"

Version Process:

Runs preversion script
Updates version in package.json
Runs version script
Commits changes to git (if in git repo)
Creates git tag (unless --no-git-tag-version)
Runs postversion script

Show Environment Versions

Display versions of yarn, Node.js, and system information.

yarn versions

Usage Examples:

# Show all versions
yarn versions

# Use in bug reports
yarn versions > versions.txt

Output Example:

{
  "yarn": "1.22.22",
  "node": "18.17.0",
  "v8": "10.2.154.26-node.22",
  "uv": "1.44.2",
  "zlib": "1.2.13",
  "brotli": "1.0.9",
  "ares": "1.19.1",
  "modules": "108",
  "nghttp2": "1.57.0",
  "napi": "8",
  "llhttp": "8.1.1",
  "openssl": "3.0.9+quic",
  "cldr": "43.1",
  "icu": "73.2",
  "tz": "2023c",
  "unicode": "15.0",
  "os": "Linux 5.4.0-74-generic",
  "cpu": "x64"
}

Advanced Utility Usage

Automated Integrity Checks

# Pre-commit hook
#!/bin/sh
yarn check --integrity || {
  echo "Integrity check failed!"
  exit 1
}

# CI/CD pipeline check
yarn install --frozen-lockfile
yarn check --integrity --verify-tree

Security Automation

# Security check script
#!/bin/bash
AUDIT_RESULT=$(yarn audit --json --level high)
if [ $? -ne 0 ]; then
  echo "High severity vulnerabilities found!"
  echo "$AUDIT_RESULT" | jq '.data.vulnerabilities'
  exit 1
fi

# Auto-fix security issues (where possible)
yarn audit --level moderate || yarn upgrade

Package Distribution

# Build and pack workflow
yarn build
yarn test
yarn pack --filename "$(npm pkg get name | tr -d '\"')-$(npm pkg get version | tr -d '\"').tgz"

# Verify packed contents
tar -tzf *.tgz | head -20

Development Workflow Integration

# Pre-install validation
yarn check --verify-tree 2>/dev/null || yarn install

# Post-install cleanup
yarn install && yarn autoclean && yarn check

# Version bump workflow
yarn test && yarn build && yarn version --patch && yarn publish

Maintenance Scripts

{
  "scripts": {
    "preinstall": "yarn check --verify-tree || true",
    "postinstall": "yarn autoclean && yarn audit --level high",
    "prebuild": "yarn check --integrity",
    "prepack": "yarn build && yarn test",
    "version": "yarn build && git add -A dist",
    "postversion": "git push && git push --tags",
    "security-check": "yarn audit --level moderate --json | jq '.data.vulnerabilities | length'",
    "clean-install": "rm -rf node_modules yarn.lock && yarn install"
  }
}

Troubleshooting Utilities

# Debug dependency resolution
yarn install --verbose

# Check for conflicting versions
yarn list --pattern "*" | grep -E "├─|└─" | sort | uniq -c | sort -nr

# Verify lockfile consistency
yarn install --frozen-lockfile --check-files

# Generate detailed dependency report
yarn list --json > dependency-report.json

# Check package sizes
yarn list --json | jq -r '.data.trees[] | "\(.name)@\(.version)"' | \
  xargs -I {} sh -c 'echo -n "{}: "; npm view {} dist.unpackedSize 2>/dev/null || echo "unknown"'

Integration with Other Tools

# Integration with npm-check-updates
npx npm-check-updates
yarn upgrade

# Integration with license-checker
npx license-checker --summary
yarn licenses list

# Integration with bundlephobia
yarn list --json | jq -r '.data.trees[].name' | \
  xargs -I {} curl -s "https://bundlephobia.com/api/size?package={}" | jq '.'

# Integration with snyk
npx snyk test
yarn audit

Install with Tessl CLI