Yarn is a spiritual successor to the npm cli. Yarn automatically updates the
yarn.lock file when the yarn CLI is used to modify the dependencies present in
the project. The yarn.lock file contains information about a dependency's
transitive dependencies, its location, and its resolved version.
Find all files named yarn.lock which have a corresponding package.json file.
yarn.lock has its own bespoke format. Dependencies typically look something like:
"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.5.5":
version "7.5.5"
resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.5.5.tgz#bc0782f6d69f7b7d49531219699b988f669a8f9d"
integrity sha512-27d4lZoomVyo51VegxI20xZPuSHusqbQag/ztrBC7wegWoQ1nLREPVSKSW8byhTlzTKyNE4ifaTA6lCp7JjpFw==
dependencies:
"@babel/highlight" "^7.0.0"
where:
resolvedis the exact location of the dependencyversionis a pinned dependency- the section "keys" contain constraints used by other packages to refer to this dependency
dependenciesis a list of constraints for dependencies of this package
We also support yarn V2, which uses a similar, though mechanically different schema, but uses standard YAML rather than a bespoke format.
As of v2.19.x, we also support yarn workspaces. In practice, this means that
the package.json files used to build the yarn.lock file are also checked,
and the knowledge of both is combined to form a (usually) complete picture of
the full graph of dependencies.
There are many default Yarn protocols that Yarn allows users to fetch dependencies. The FOSSA CLI currently supports the npm and git protocols.