Remove unsupported Yarn v1.22 from docker-node base images

[ms-ati]

Problem

Yarn v1 is included in the docker-node images, however it is receiving only limited security updates and the guidance has been to migrate to modern Yarn since 2020.

Especially for smaller images like Alpine, this dependency contributes to the size of the base, but seems unlikely to be used widely.

Solution

Remove the installation of Yarn v1 from the docker-node base images. Document best ways to then add Yarn v1 if needed.

Alternatives to Consider

1. Take an ARG to the base image which chooses a Yarn version to isntall
2. Add a docker variant no-yarn which does not contain yarn, but continue to install on other variants
3. Continue as-is installing Yarn 1.22 on all docker-node images

[MikeMcC399]

@ms-ati

Yarn Classic v1 is a bit of an anomaly! As you say, it's unsupported, however it has not been declared end-of-life and download numbers are still increasing.

• See Lifecycle planning / end-of-life? yarnpkg/yarn#9062

seems unlikely to be used widely

The supposition that Yarn is not widely used is not supported by current statistics, which show download figures for the yarn package of around 6 million per week.

I assume that the complexity of migrating from Yarn Classic v1 to Yarn Modern with pnp and Corepack technologies have been a barrier.

Edit: At this time probably continuing "as-is" is the right decision. I have changed my mind about this, considering the state of Yarn v1 Classic

[mkesper]

PLEASE add at least an argument for the YARN version. I'm right now copying the whole base Dockerfile into my repo to evade the absolute nightmare of not being able to override the "global package manager definition". Corepack is absolutely no help here at all as it always defaults to the preinstalled yarn1.22.22.

[MikeMcC399]

@mkesper

Which version of Yarn do you want to use and which Docker Node.js version are you using? I would expect the version of Yarn Modern to be in the package.json file in the packageManager field, for example:

  "packageManager": "yarn@4.9.2+sha512.1fc009bc09d13cfd0e19efa44cbfc2b9cf6ca61482725eb35bbc5e257e093ebf4130db6dfe15d604ff4b79efd8e1e8e99b25fa7d0a6197c9f9826358d4d65c3c"

That would get picked up if you have the following in your Dockerfile:

RUN corepack enable yarn

Edit: It also sounds like your problem is not with Yarn v1 Classic, which is now topic of this renamed issue, so it should probably be looked at in a different issue.

[jonathandeclan]

With CVE-2025-8262 and CVE-2025-9308 impacting 1.22.22 of yarn in alpine builds, will this be prioritized?

[MikeMcC399]

Based on the separate high download numbers of the npm package yarn (current version 1.22.22, released Mar 3, 2024) of 6 million per week, I imagine that there could still be significant usage of Yarn v1 Classic through Node.js Docker images. Removing Yarn v1 Classic from these Docker images is therefore also likely to have a significant impact for users.

Yarn v1 Installation states:

In practice, there is no longer any maintainer response to issues raised in the repo https://github.com/yarnpkg/yarn/issues list. The failing nightly CircleCI pipeline has been abandoned and a request to fix (or disable the pipeline) was also not actioned. The pipeline runs on end-of-life versions of Node.js 4-13 and Node.js 12-16.

Whether or not to continue to bundle Yarn v1 Classic in Node.js Docker images may need to be a strategy topic for the Docker Working Group given the potential impact. If it's decided to remove Yarn v1 Classic then there may need to be an announcement ahead of time with a suitable transition period where its use in Node.js Docker images is deprecated before it is finally removed.

[jonathandeclan]

Please flag this with the WG-agenda label so the decision can be made.

[MikeMcC399]

@jonathandeclan

Please flag this with the WG-agenda label so the decision can be made.

Despite the description in the README > WG Meetings section referring to the WG-Agenda label, none such label is defined in this repo under labels. The closest would be the tsc-agenda label, which appears never to have been used.

Edit: extracted as a separate topic under #2278

Hopefully one of the members of the WG will be able to respond and take the necessary action!

[ms-ati]

Regarding the download numbers for Yarn v1, are we able to correct for the circular-reasoning factor, in which base images and other artifacts continue to install Yarn v1 due to these numbers, which ensures the numbers stay high?

Wondering if there's a better proxy for usage, or if the node-docker community has mechanism for announcing intent to deprecate and remove and solicit concerns?

[MikeMcC399]

@ms-ati

Regarding the download numbers for Yarn v1, are we able to correct for the circular-reasoning factor, in which base images and other artifacts continue to install Yarn v1 due to these numbers, which ensures the numbers stay high?

Wondering if there's a better proxy for usage, or if the node-docker community has mechanism for announcing intent to deprecate and remove and solicit concerns?

I would expect that the download numbers for Yarn v1 Classic shown in the npm registry stats caused by including it in Docker node images would be restricted to each time a Docker image is built through this repo, not when it is used. If Yarn is included in the Docker image then it doesn't get downloaded from the npm registry every time.

[MikeMcC399]

It's not the first time that the continued inclusion of Yarn v1 Classic has been discussed here.

• Suggestion for dropping Yarn from Node 14 release #1238
• Decision about yarn in version 21 of Node #1979
• feat: enable Corepack (pnpm support, unbundle yarn) #1768

At one point there was an initiative to enable Corepack by default to support Yarn Modern, and support unbundling of Yarn v1 Classic.

And then there was the Node.js Technical Steering Committee vote on Mar 19, 2025 which resulted in the strategy decision:

Phase out later: stop distributing Corepack (i.e. the distribution will no longer contain a corepack executable) on future (i.e. 25+) release lines of Node.js – existing release lines as well as the very next (i.e. 24.x) will keep it as experimental.

Edit: Changed the text below, since Node.js 25.0.0 has now been released:

When Node.js 25.0.0 released on Oct 15, 2025, there is no bundled Corepack included with Node.js >=25. Also in practice, since the announcement of the TSC vote outcome, no further significant development of Corepack is taking place in the Corepack repo.

Possibly the Node.js 25 release milestone (Oct 15, 2025) would be the right trigger to discuss once again about what to do with Yarn v1 Classic? Too late, as this milestone is now in the past.

[peterhirn]

Since yarn is installed via curl, using the recommended way to install corepack manually obviously doesn't work:

$ npm uninstall -g yarn pnpm
up to date in 3s
$ npm install -g corepack
npm error code EEXIST
npm error path /usr/local/bin/yarn
npm error EEXIST: file already exists
npm error File exists: /usr/local/bin/yarn
npm error Remove the existing file and try again, or run npm
npm error with --force to overwrite files recklessly.
npm error A complete log of this run can be found in: /root/.npm/_logs/2025-10-19T09_03_30_940Z-debug-0.log

I'm now using npm install -g --force corepack

[MikeMcC399]

@peterhirn

You've raised a separate issue that occurs starting with Node.js 25 Docker images. These images have no Corepack pre-installed since Corepack is no longer bundled with Node.js starting with Node.js 25.0.0.

To allow Corepack to install without error in containers based on Node.js >=25 Docker images, you would need to remove the Yarn v1 Classic symbolic links.

To demonstrate:

docker run -it --rm --entrypoint bash node:25

rm /usr/local/bin/yarn* # remove Yarn v1 symlinks
npm install -g corepack@latest # install Corepack

Using the Docker image node:24, it is not necessary to remove the Yarn v1 symlinks before updating Corepack to the latest version.

[ms-ati]

Hi folks, it's interesting watching the discussion on this ticket. I understand the concern that removing Yarn v1 classic may break some users who depend on existing image.

I'm a bit skeptical that there are many users of the latest Node versions -- that is, users who are updating Node versions frequently -- who are still using Yarn v1 classic. But we must acknowledge that they may exist.

Q: Should we consider creating a named image variant which stops installing Yarn?

• Announce and publicize it (e.g. JS weekly news etc)
• Announce a date at top of README file by which the no-yarn variant will become the norm, and the installation of yarn will entirely cease
• Observe the portion of pulls that move to new variants over time

My intent is to explore paths to de-couple the two concerns of (a) avoiding breaking existing users, and (b) beginning to publish an official no-yarn version for all the reasons mentioned in this thread and related issues.

Thoughts?