@yarnpkg/lockfile — Greenflagged

The parser/stringifier for Yarn lockfiles.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

arcanisbestandercpojerdaniel15sebmck

Keywords

yarnyarnpkglockfiledependencynpm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:etc-passwd-access	AI (semgrep): The flagged line is a code comment ('// Test: ./node test/fixtures/echo.js < /etc/passwd'), not actual /etc/passwd access. Stable false positive for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher change from daniel15 to arcanis in 2018 reflects the documented Yarn project maintainer transition; arcanis is the primary Yarn creator with a strong track record.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (arcanis, bestander, cpojer, sebmck) are well-known Yarn/JS ecosystem contributors; this was a legitimate team consolidation in 2018.	ai	2026/04/24
semgrep	semgrep:base64-decode	AI (semgrep): Base64/hex conversion is used for integrity hash handling in a lockfile parser — legitimate and expected behavior, not a malicious payload.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): sebmck and cpojer are well-known legitimate JS ecosystem contributors (Babel creator, Meta engineer); spam flag is a false positive for this package.	ai	2026/04/23
semgrep	semgrep:hex-decode	AI (semgrep): Hex-to-base64 conversion for integrity hash normalization; standard lockfile parser functionality, not obfuscation.	ai	2026/04/23
semgrep	semgrep:env-bulk-read	AI (semgrep): Bundled debug library reads DEBUG_* env vars for logging configuration — well-known benign pattern stable across versions.	ai	2026/04/23

Versions (showing 4 of 4)

Version	Deps	Published
1.1.0	0 / 0	2018-09-10
1.0.2	0 / 0	2018-06-11
1.0.1	0 / 0	2018-05-11
1.0.0	0 / 0	2017-08-22

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1

2 findings

HIGH Publisher changed: daniel15 → arcanis (on 2018-05-11) provenance

This version was published by a different npm account than previous versions on 2018-05-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

2 findings

HIGH etc-passwd-access: index.js:7611 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7609 | // stream from an existing fd which is writable only. But for now 7610 | // we'll just add this hack and set the `readable` member to false. > 7611 | // Test: ./node test/fixtures/echo.js < /etc/passwd 7612 | stream.readable = false; 7613 | stream.read = null;

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.