SBOM Manager

Appearance

Yarn Package Scanner

The Yarn package scanner automatically detects and extracts all third-party dependencies declared in your JavaScript and TypeScript projects that use Yarn as their package manager.

What It Does

Default file: yarn.lock

When you enable the Yarn scanner during SBOM creation, CAST SBOM Manager will:

  • Find all Yarn lock files throughout your codebase
  • Extract all resolved dependencies with their exact installed versions
  • Process all dependency entries including direct and transitive dependencies
  • Parse Yarn's lock file format to extract package names and versions
  • Filter to direct dependencies when configured to exclude transitive dependencies

What Gets Detected

The Yarn scanner identifies dependencies from yarn.lock files:

Lock File (yarn.lock)

From yarn.lock files, the scanner extracts:

  • All resolved dependencies with their exact installed versions
  • Both direct and transitive dependencies (unless filtered)
  • Precise version numbers as resolved by Yarn during installation
  • Package names with their exact resolved versions, not version ranges

The lock file provides a complete snapshot of every package installed in your project's node_modules directory, ensuring reproducible installations across environments.

How It Works

Yarn Lock File Parsing

The Yarn lock file uses a unique format where dependency entries are structured as:

package-name@^1.0.0:
  version "1.2.3"
  resolved "https://registry.yarnpkg.com/..."
  dependencies:
    ...

The scanner processes this format by:

  1. Reading the lock file line by line
  2. Tracking package declaration lines (lines with package names and version constraints)
  3. When it encounters a version line, it:
    • Extracts the exact resolved version from that line
    • Extracts the package name from the previous declaration line
    • Creates a dependency entry with the package name and resolved version

Package Name Extraction

Yarn lock files can have multiple version constraints pointing to the same resolved version:

"package@^1.0.0", "package@~1.2.0":
  version "1.2.5"

The scanner:

  • Takes the first package reference from the declaration line
  • Strips the version constraint suffix (everything after the @ symbol)
  • Uses the clean package name as the dependency identifier

What It Doesn't Detect

The Yarn scanner has specific behavior regarding dependency types:

When scanning yarn.lock files:

  • All resolved packages are extracted by default, regardless of whether they originated from dependencies, devDependencies, peerDependencies, or optionalDependencies
  • When "direct dependencies only" filtering is enabled, the scanner includes packages from dependencies, devDependencies, and peerDependencies sections of the corresponding package.json
  • Does not process package.json files directly - only uses them for filtering when "direct dependencies only" is enabled
  • Only the resolved versions from yarn.lock are used, not version constraints from package.json

Neither yarn.lock nor package.json scanning detects:

  • Manually copied JavaScript libraries not managed by Yarn
  • Embedded or copy-pasted code from open source projects
  • CDN-loaded libraries referenced only in HTML files

For complete open source detection including undeclared components and copied code, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify all open source usage.

Yarn Classic vs. Yarn Berry

This scanner supports both:

  • Yarn Classic (v1.x) - The original Yarn with traditional lock file format
  • Yarn Berry (v2+) - Modern Yarn with the same lock file format

Both versions use the same yarn.lock format that this scanner parses, so no special configuration is needed.

Copyright © 2025 CAST SOFTWARE.