nodejs
Remove unsupported Yarn v1.22 from docker-node base images
Problem
Yarn v1 is included in the docker-node images, however it is receiving only limited security updates and the guidance has been to migrate to modern Yarn since 2020.
Especially for smaller images like Alpine, this dependency contributes to the size of the base, but seems unlikely to be used widely.
Solution
Remove the installation of Yarn v1 from the docker-node base images. Document best ways to then add Yarn v1 if needed.
Alternatives to Consider
- Take an
ARGto the base image which chooses a Yarn version to isntall - Add a docker variant
no-yarnwhich does not contain yarn, but continue to install on other variants - Continue as-is installing Yarn 1.22 on all docker-node images
@ms-ati
Yarn Classic v1 is a bit of an anomaly! As you say, it's unsupported, however it has not been declared end-of-life and download numbers are still increasing.
- See https://github.com/yarnpkg/yarn/issues/9062
seems unlikely to be used widely
The supposition that Yarn is not widely used is not supported by current statistics, which show download figures for the yarn package of around 6 million per week.
I assume that the complexity of migrating from Yarn Classic v1 to Yarn Modern with pnp and Corepack technologies have been a barrier.
Edit: ~~At this time probably continuing "as-is" is the right decision.~~ I have changed my mind about this, considering the state of Yarn v1 Classic
PLEASE add at least an argument for the YARN version. I'm right now copying the whole base Dockerfile into my repo to evade the absolute nightmare of not being able to override the "global package manager definition". Corepack is absolutely no help here at all as it always defaults to the preinstalled yarn1.22.22.
@mkesper
Which version of Yarn do you want to use and which Docker Node.js version are you using? I would expect the version of Yarn Modern to be in the package.json file in the packageManager field, for example:
"packageManager": "[email protected]+sha512.1fc009bc09d13cfd0e19efa44cbfc2b9cf6ca61482725eb35bbc5e257e093ebf4130db6dfe15d604ff4b79efd8e1e8e99b25fa7d0a6197c9f9826358d4d65c3c"
That would get picked up if you have the following in your Dockerfile:
RUN corepack enable yarn
Edit: It also sounds like your problem is not with Yarn v1 Classic, which is now topic of this renamed issue, so it should probably be looked at in a different issue.
With CVE-2025-8262 and CVE-2025-9308 impacting 1.22.22 of yarn in alpine builds, will this be prioritized?
Based on the separate high download numbers of the npm package yarn (current version 1.22.22, released Mar 3, 2024) of 6 million per week, I imagine that there could still be significant usage of Yarn v1 Classic through Node.js Docker images. Removing Yarn v1 Classic from these Docker images is therefore also likely to have a significant impact for users.
Yarn v1 Installation states:
In practice, there is no longer any maintainer response to issues raised in the repo https://github.com/yarnpkg/yarn/issues list. The failing nightly CircleCI pipeline has been abandoned and a request to fix (or disable the pipeline) was also not actioned. The pipeline runs on end-of-life versions of Node.js 4-13 and Node.js 12-16.
Whether or not to continue to bundle Yarn v1 Classic in Node.js Docker images may need to be a strategy topic for the Docker Working Group given the potential impact. If it's decided to remove Yarn v1 Classic then there may need to be an announcement ahead of time with a suitable transition period where its use in Node.js Docker images is deprecated before it is finally removed.
Please flag this with the WG-agenda label so the decision can be made.
@jonathandeclan
Please flag this with the WG-agenda label so the decision can be made.
Despite the description in the README > WG Meetings section referring to the WG-Agenda label, none such label is defined in this repo under labels. The closest would be the https://github.com/nodejs/docker-node/labels/tsc-agenda label, which appears never to have been used.
Edit: extracted as a separate topic under https://github.com/nodejs/docker-node/issues/2278
Hopefully one of the members of the WG will be able to respond and take the necessary action!
Regarding the download numbers for Yarn v1, are we able to correct for the circular-reasoning factor, in which base images and other artifacts continue to install Yarn v1 due to these numbers, which ensures the numbers stay high?
Wondering if there's a better proxy for usage, or if the node-docker community has mechanism for announcing intent to deprecate and remove and solicit concerns?
@ms-ati
Regarding the download numbers for Yarn v1, are we able to correct for the circular-reasoning factor, in which base images and other artifacts continue to install Yarn v1 due to these numbers, which ensures the numbers stay high?
Wondering if there's a better proxy for usage, or if the node-docker community has mechanism for announcing intent to deprecate and remove and solicit concerns?
I would expect that the download numbers for Yarn v1 Classic shown in the npm registry stats caused by including it in Docker node images would be restricted to each time a Docker image is built through this repo, not when it is used. If Yarn is included in the Docker image then it doesn't get downloaded from the npm registry every time.
It's not the first time that the continued inclusion of Yarn v1 Classic has been discussed here.
- https://github.com/nodejs/docker-node/issues/1238
- https://github.com/nodejs/docker-node/issues/1979
- https://github.com/nodejs/docker-node/pull/1768
At one point there was an initiative to enable Corepack by default to support Yarn Modern, and support unbundling of Yarn v1 Classic.
And then there was the Node.js Technical Steering Committee vote on Mar 19, 2025 which resulted in the strategy decision:
Phase out later: stop distributing Corepack (i.e. the distribution will no longer contain a corepack executable) on future (i.e. 25+) release lines of Node.js – existing release lines as well as the very next (i.e. 24.x) will keep it as experimental.
Edit: Changed the text below, since Node.js 25.0.0 has now been released:
When Node.js 25.0.0 released on Oct 15, 2025, there is no bundled Corepack included with Node.js >=25. Also in practice, since the announcement of the TSC vote outcome, no further significant development of Corepack is taking place in the Corepack repo.
~~Possibly the Node.js 25 release milestone (Oct 15, 2025) would be the right trigger to discuss once again about what to do with Yarn v1 Classic?~~ Too late, as this milestone is now in the past.
Since yarn is installed via curl, using the recommended way to install corepack manually obviously doesn't work:
$ npm uninstall -g yarn pnpm
up to date in 3s
$ npm install -g corepack
npm error code EEXIST
npm error path /usr/local/bin/yarn
npm error EEXIST: file already exists
npm error File exists: /usr/local/bin/yarn
npm error Remove the existing file and try again, or run npm
npm error with --force to overwrite files recklessly.
npm error A complete log of this run can be found in: /root/.npm/_logs/2025-10-19T09_03_30_940Z-debug-0.log
I'm now using npm install -g --force corepack
@peterhirn
You've raised a separate issue that occurs starting with Node.js 25 Docker images. These images have no Corepack pre-installed since Corepack is no longer bundled with Node.js starting with Node.js 25.0.0.
To allow Corepack to install without error in containers based on Node.js >=25 Docker images, you would need to remove the Yarn v1 Classic symbolic links.
To demonstrate:
docker run -it --rm --entrypoint bash node:25
rm /usr/local/bin/yarn* # remove Yarn v1 symlinks
npm install -g corepack@latest # install Corepack
Using the Docker image node:24, it is not necessary to remove the Yarn v1 symlinks before updating Corepack to the latest version.
Hi folks, it's interesting watching the discussion on this ticket. I understand the concern that removing Yarn v1 classic may break some users who depend on existing image.
I'm a bit skeptical that there are many users of the latest Node versions -- that is, users who are updating Node versions frequently -- who are still using Yarn v1 classic. But we must acknowledge that they may exist.
Q: Should we consider creating a named image variant which stops installing Yarn?
- Announce and publicize it (e.g. JS weekly news etc)
- Announce a date at top of README file by which the
no-yarnvariant will become the norm, and the installation of yarn will entirely cease - Observe the portion of pulls that move to new variants over time
My intent is to explore paths to de-couple the two concerns of (a) avoiding breaking existing users, and (b) beginning to publish an official no-yarn version for all the reasons mentioned in this thread and related issues.
Thoughts?
@ms-ati
I took a quick look at the potential size savings by removing Yarn v1 Classic:
| Image | uncompressed | uncompressed no Yarn | savings MB | savings % |
|---|---|---|---|---|
| node:22.21-alpine3.22 | 161.97MB | 156.6MB | 5MB | 3% |
| node:22.21-trixie-slim | 230.65MB | 223.41MB | 7MB | 3% |
| node:22.21-trixie | 1.22GB | 1.21GB | 0.01GB | 1% |
This probably isn't significant enough to motivate a change in itself.
The remaining argument is that Yarn v1 Classic is frozen, unsupported and unmaintained, although the source repo https://github.com/yarnpkg/yarn hasn't been archived. The npm package yarn (last published as 1.22.22 in March 2024) hasn't been deprecated either and there has been no end-of-life declared on it.
I think apart from the other arguments for removing it (unsupported/unmaintained software, less software installed, reduced complexity), one other argument may be considered:
It is unexpected and unusual that an old, frozen artifact of package manager history is shipped along with new images, given that there are many reasons why it should not be used (security features, speed, many other modern features). If I was a new developer downloading a new image today (or in 2 years, or in 10 years), I wouldn't expect that such an old package manager would be included.
So removing it for this reason (to make the set of software installed on new images be less unusual and unexpected) would be in my opinion an additional argument to remove it.
@ms-ati
Q: Should we consider creating a named image variant which stops installing Yarn?
This would have the potential to double the number of new images built for every release from 8 to 16 and I don't expect that this is going to be acceptable.
An alternative concrete proposal which leaves sufficient time for discussion and consensus building would be to remove Yarn v1 Classic from all Node.js 26.x Docker images, leaving it in for existing release lines (20, 22, 24 & 25) until their own end-of-life milestone. The Node.js 26 release line is planned for initial release in April 2026 and transitions to LTS in Oct 2026.
If the source repo for Yarn v1 Classic, https://github.com/yarnpkg/yarn, is cloned locally then CI tests and a vulnerability audit are run, then these are the results:
Test results
Test Suites: 15 failed, 74 passed, 89 total
Tests: 59 failed, 3 skipped, 1215 passed, 1277 total
Snapshots: 119 passed, 119 total
Vulnerability results
52 vulnerabilities found - Packages audited: 253
Severity: 7 Low | 13 Moderate | 24 High | 8 Critical
Steps to reproduce
Debian 13.1, Node.js 25.1.0 (Current)
Yarn v1 Classic master branch, 7cafa512
npm install [email protected] -g
git clone https://github.com/yarnpkg/yarn
cd yarn
yarn
yarn build
yarn test-only
yarn audit --groups dependencies
Given the abandoned state of Yarn v1 Classic (last update v1.22.22 18 months ago) it seems like there ought to be an exception process needing approval to continue to distribute Yarn v1 Classic with Node.js Docker images, however so far there hasn't been any reaction from maintainers or from the designated Docker Working Group Members (Hans Kristian Flaatten (@Starefossen), Hugues Malphettes (@hmalphettes) & John Mitchell (@jlmitch5)).
It increasingly looks that there is no decision going to be made about this issue, or am I misreading the situation?