Suggestion for dropping Yarn from Node 14 release #1238
Description
Splitting off this discussion from #777 since there is around 3 weeks till Node 14 is supposed to be released. This represents a good time to remove the support from the image for v14 without requiring a breaking change later.
Why?
- Issues like Please update yarn to at least 1.22.0 (CVE-2020-8131) #1237 get raised for CVEs for Yarn, that we wouldn't patch like issues shipped with the bundled version of NPM in Node yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. #1235
- Yarn 2 Yarn 2 support #1180 changed there deployment method to vendor in the binary into repos, so newer repos using Yarn shouldn't need the same global install
How?
- Update move the Yarn templating to update.sh and only append it when Node < 14
This would still keep Yarn in the <14 images till v12 hits EOL in April 2022, and follows a similar approach as the "OnBuild" deprecation by not adding it to newer versions after 8.
This wouldn't preclude a separate image with Yarn being taken back up by the Yarn project as they did in the past, giving them more control over tagging of their version releases.