Stop Using Yarn Classic

Yarn Classic(1.x)은 공식적으로 유지보수가 중단되어 새로운 기능과 보안 패치가 제공되지 않으며, 특히 취약한 전이적(transitive) 의존성 패키지의 CVE 패치가 어렵다. Yarn Berry(4.x)는 'yarn up --recursive' 명령어로 전이적 의존성까지 손쉽게 업데이트할 수 있어 보안 취약점 대응이 훨씬 용이하다. Yarn Classic 사용자는 Yarn Berry로 마이그레이션하거나, pnpm, Bun 같은 현대적인 패키지 매니저로 전환하는 것을 권장한다. 이 글은 Yarn Classic의 한계와 최신 패키지 매니저의 장점을 실무 관점에서 상세히 설명한다.

https://charpeni.com/blog/stop-using-yarn-classic

#yarn #packagemanagement #dependencymanagement #security #cve

RE: https://mastodon.social/@thehackerwire/116378857363756327

It's OpenClaw again. Which leads me to the question:
Has anyone built a tool that shows to "Vulnerability Timeline" of one and the same software (possibly also checking for renaming or CPE changes by company mergers)?
This could be useful for arguing for/against a package.
#Infosec #DependencyManagement #SoftwareSecurity

Are you working with software dependencies in constrained environments? Then this might interest you:

I’ll give a lightning talk on how we approach practical license and vulnerability management when resources are limited. As Technical Solution Lead at Alliander I deal daily issues regarding licensing and security. I’ll talk about tooling, share key findings and insights.

Where & when to go?
Monday, March 23
13:15 CET
Amsterdam

#Ospology #DevOps #Security #OpenSource #DependencyManagement

I am really enjoying the Pixi package manager, https://pixi.sh , made by @prefix. We have been using conda at my work for managing the dependencies of our python application. It involves scientific data analysis so there are lots of dependencies, and it has been a challenge to keep things up to date. Pixi has nice support for cleanly defining the direct dependencies in the pixi.toml file, and then it automatically generates a lock file. There is a command to upgrade all the dependencies too. It's amazing! I'm just starting to use it, but it is helpful so far.

#conda
#packageManagement
#pixi
#dependencyManagement

"Cooldowns enforce positive behavior from supply chain security vendors: vendors are still incentivized to discover and report attacks quickly, but are not as incentivized to emit volumes of blogspam about 'critical' attacks on largely underfunded open source ecosystems."

#npm #supplychainattack #dependencymanagement

https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

via @dotnet : A step-by-step guide to modernizing .NET applications with GitHub Copilot agent mode

https://ift.tt/YprJVHi
#DotNet #GitHubCopilot #AppModernization #CloudNative #SoftwareDevelopment #AzureMigration #Programming #DevOps #DependencyManagement #CodeU…

"Làm việc với dự án đa ngôn ngữ (Node.js, Python, Java) thật sự là một cơn ác mộng khi phải tìm kiếm và cập nhật các gói phụ thuộc!
Có ai khác gặp phải vấn đề tương tự?
Làm thế nào để bạn quản lý các phụ thuộc đa ngôn ngữ hiện nay? #DevTools #MultiLanguage #DependencyManagement #CôngCụPhátTriển #QuảnLýPhụThuộc"

https://www.reddit.com/r/SaaS/comments/1oq7n23/ever_spend_hours_fixing_missing_dependencies_on/

Tác giả chia sẻ cách giữ các "input" Nix (AI, công cụ dev, desktop) luôn mới bằng cách tách biệt chúng để cập nhật theo lịch trình khác nhau. Anh ấy cũng đã viết một script nhỏ để kiểm tra các bản cập nhật có sẵn.

#Nix #NixOS #Programming #DevTools #DependencyManagement #LậpTrình #CôngCụPhátTriển #QuảnLýPhụThuộc

https://www.reddit.com/r/programming/comments/1o2408y/keeping_my_nix_inputs_fresh/

Keep your dependencies up to date with Renovate 🔄📦

Modern apps rely on countless frameworks & libraries. But with great libraries comes great responsibility.

At #BaselOne25, Java Champion @michaelvitz introduces Renovate – the open-source bot that keeps dependencies up to date, reduces security risks & automates dependency management.

📅 Oct 16 | Basel

🎟️ https://eventfrog.ch/BaselOne2025

📌 Program: https://baselone.org/en/baselone-home/#schedule

#BaselOne #DependencyManagement #DevTools #OpenSource