2.3 kB
Yarn uses its own proxy to the npm registry in order to allow us to experiment
with the way the Yarn client works and allow optimizations in the future around
how packages are resolved. This registry is used by all Yarn users by default.
In order to do this we use the popular service, Cloudflare, which is used by
thousands of companies and who had offered to work with us to make Yarn installs
faster globally.
Recently it was reported
that Cloudflare had a serious bug that was leading to requests from other websites
being leaked into HTTP responses.
When it comes to registry authentication, the Yarn client differs from the npm
client in that when we perform authentication we do not store the resulting token
and invalidate it after it's used.
However, Yarn still allows you to login with your npm account to perform actions
such as publishing and downloading private packages. Out of the 70 million requests
performed daily we only get 10-30 requests that involve registry authentication.
This means that for these requests there was the possibility of user passwords
being leaked.
Since the Cloudflare announcement we've been in contact and have been assured
that Yarn has not been affected and no Yarn users data has been leaked. Even with
this assurance we'd recommend that if you're one of those 30 people a day using Yarn
for registry authentication that you reset your password as a precautionary measure.
As a result of this we're evaluating our security policy and have created a new email
address security@yarnpkg.com that can be used to report
security vulnerabilities without going through the public issue tracker. We're also in
the process of setting up a HackerOne account and will make an announcement when this
is available.
We'd like to apologize for this disruption and want to reaffirm our commitment to security
and transparency in cases like these.