yarn (npm ecosystem)
Bomly uses this chain when it finds yarn evidence.
| Property | Value |
|---|---|
| Package manager | yarn |
| Ecosystem | npm |
| Detector chain | yarn-detector, yarn-native-detector, syft-detector |
| Evidence patterns | yarn.lock, package.json |
| Install-first support | Yes |
| Native command hints | yarn, syft for bomly-lite |
How yarn resolves
The default chain is lockfile-first: yarn-detector parses yarn.lock (classic v1 or Berry v2/v3/v4) and produces a full transitive graph. The native variant shells out to yarn list; Syft is the final fallback.
| Detector | Runs by default | Strategy | Command |
|---|---|---|---|
yarn-detector | Yes | Lockfile parser | None |
yarn-native-detector | Fallback | Build tool | yarn list --json |
syft-detector | Final fallback | Cataloger | (Syft internal) |
Network behavior
✅ The default yarn-detector is fully offline-safe. It reads yarn.lock and does not run any subprocess.
⚠️ yarn-native-detector runs yarn list. With a complete lockfile and an installed node_modules directory, yarn produces output from local state.
Prerequisites
- A committed
yarn.lock. Both classic v1 (# yarn lockfile v1header) and Berry v6+ are supported. - No Node.js or Yarn installation is required to scan. Bomly parses the lockfile directly.
- For
--install-first:yarnonPATH.
--install-first
yarn supports --install-first. When passed, Bomly runs yarn install before resolving the graph.
⚠️ --install-first downloads packages from the npm registry. Use it only when the lockfile is missing or stale.
bomly scan --install-first
Customizing the install command
Append flags to yarn install with repeatable --install-arg. Requires --detectors yarn-detector.
# Refuse to update the lockfile and skip optional deps
bomly scan --install-first --detectors yarn-detector \
--install-arg --frozen-lockfile --install-arg --ignore-optional
Examples
Pin a transitive vulnerability
Use resolutions in package.json:
{
"resolutions": {
"**/lodash": "4.17.21"
}
}
Re-lock: yarn install. Re-scan.
Berry workspaces
Bomly walks Berry workspaces and scans each as a subproject. Plug-and-Play (.pnp.cjs) projects are read through the lockfile, not the runtime resolver — graph fidelity matches the lockfile.
Reachability (experimental)
Experimental. Reachability is opt-in via
--analyze. The feature is stable in shape but may evolve; ecosystem coverage is expanding.
For Yarn packages, the analyzer is jsreach at Tier-3 (package) — same caveats as npm. See REACHABILITY.md.
jsreach reads workspace arrays and Yarn-style workspaces.packages objects automatically, then follows imports between consumed sibling packages by package name.
Limitations
- Yarn Berry workspaces with
injected: truedependencies are followed as regular edges. portal:andlink:protocols point to local checkouts; their internal dependencies are read from the local package, not the registry.- Subpath imports collapse to the package name for reachability.