Axure · Axure · Oct 8, 2019 · Sep 18, 2019 · Sep 18, 2019 · Sep 18, 2019
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,40 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 
 ## Master
 
+## 1.19.1
+
+**Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
+
+- Computes the `--modules-folder` & friends paths based on the cwd.
+
+  [#7607](https://github.com/yarnpkg/yarn/pull/7607) - [**mbpreble**](https://github.com/mbpreble)
+
+- Stores the sha512 in the cache even when not provided by the server.
+
+  [#7591](https://github.com/yarnpkg/yarn/pull/7591) - [**Maël Nison**](https://twitter.com/arcanis) / [#7595](https://github.com/yarnpkg/yarn/pull/7595) - [**Michael**](https://github.com/Blasz)
+
+- Uses the right Node binary when using `yarn-path`.
+
+  [#7592](https://github.com/yarnpkg/yarn/pull/7592) - [**Maël Nison**](https://twitter.com/arcanis)
+
+## 1.19.0
+
+**Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
+
+- Fixes a potential vulnerability regarding how the build artifacts are stored
+
+  Reported by [**ChALkeR**](https://github.com/ChALkeR), fixed by [**Maël Nison**](https://twitter.com/arcanis)
+
+## 1.18.0
+
+- Suggests using the Yarn 2 development trunk on PnP-enabled projects
+
+  [#7512](https://github.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Preserves linked packages when calling `yarn create`
+
+  [#7543](https://github.com/yarnpkg/yarn/pull/7543) - [**Nick McCurdy**](https://github.com/nickmccurdy)
+
 - Fixes the offline mirror filenames when using Verdaccio
 
   [#7499](https://github.com/yarnpkg/yarn/pull/7499) - [**xv2**](https://github.com/xv2)

diff --git a/__tests__/commands/install/integration.js b/__tests__/commands/install/integration.js
@@ -632,6 +632,11 @@ test('install should be idempotent', () =>
     null,
   ));
 
+test('install should fail to authenticate integrity with incorrect hash and correct sha512', () =>
+  expect(runInstall({}, 'invalid-checksum-good-integrity')).rejects.toMatchObject({
+    message: expect.stringContaining("computed integrity doesn't match our records"),
+  }));
+
 test('install should authenticate integrity field with sha1 checksums', () =>
   runInstall({}, 'install-update-auth-sha1', async config => {
     const lockFileContent = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
@@ -1160,3 +1165,102 @@ test('install skips the scripts if the yarnrc specifies skip-scripts true', () =
     const ignoredScriptsMessage = reporter.lang('ignoredScripts');
     expect(stdout).toMatch(ignoredScriptsMessage);
   }));
+
+describe('Cache', () => {
+  test('install should cache package without integrity prefix if no integrity field present', () =>
+    runInstall({}, 'install-update-auth-no-integrity-field', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853',
+      );
+
+      expect(await fs.exists(pkgCacheDir)).toEqual(true);
+    }));
+
+  test('install should cache package with integrity suffix if integrity field present', () =>
+    runInstall({}, 'install-update-auth-sha512', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity',
+      );
+
+      expect(await fs.exists(pkgCacheDir)).toEqual(true);
+    }));
+
+  test('install should store cached sha1 + sha512 integrity when lockfile has sha1 integrity field', () =>
+    runInstall({}, 'install-update-auth-sha1-safebuffer', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity',
+      );
+      const pkgCacheMetaData = JSON.parse(
+        await fs.readFile(path.join(pkgCacheDir, 'node_modules', 'safe-buffer', constants.METADATA_FILENAME)),
+      );
+      expect(pkgCacheMetaData.remote.cacheIntegrity).toBe(
+        // eslint-disable-next-line max-len
+        'sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=',
+      );
+    }));
+
+  test('install should store cached sha1 + sha512 integrity when lockfile has sha512 integrity field', () =>
+    runInstall({}, 'install-update-auth-sha512', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity',
+      );
+      const pkgCacheMetaData = JSON.parse(
+        await fs.readFile(path.join(pkgCacheDir, 'node_modules', 'safe-buffer', constants.METADATA_FILENAME)),
+      );
+      expect(pkgCacheMetaData.remote.cacheIntegrity).toBe(
+        // eslint-disable-next-line max-len
+        'sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=',
+      );
+    }));
+
+  test('install should store cached sha1 + sha512 integrity when lockfile has no integrity field', () =>
+    runInstall({}, 'install-update-auth-no-integrity-field', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853',
+      );
+      const pkgCacheMetaData = JSON.parse(
+        await fs.readFile(path.join(pkgCacheDir, 'node_modules', 'safe-buffer', constants.METADATA_FILENAME)),
+      );
+
+      expect(pkgCacheMetaData.remote.cacheIntegrity).toBe(
+        // eslint-disable-next-line max-len
+        'sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=',
+      );
+    }));
+
+  test('install should fail when cached package integrity does not match lockfile integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-invalid-cache-integrity')).rejects.toThrow(
+      // eslint-disable-next-line max-len
+      'Incorrect integrity when fetching from the cache for "safe-buffer". Cache has "sha512-foo sha1-bar" and remote has "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="',
+    ));
+
+  test('install should fail when cached package hash does not match remote hash', () =>
+    expect(runInstall({}, 'install-update-auth-invalid-cache-hash')).rejects.toThrow(
+      // eslint-disable-next-line max-len
+      'Incorrect hash when fetching from the cache for "safe-buffer". Cache has "bad-hash" and remote has "893312af69b2123def71f57889001671eeb2c853"',
+    ));
+
+  test('install should not fail cache integrity validation when lockfile has sha1 integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-sha1-with-cache')).resolves.toBeUndefined());
+
+  test('install should not fail cache integrity validation when lockfile has sha512 integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-sha512-with-cache')).resolves.toBeUndefined());
+
+  test('install should not fail cache integrity validation when lockfile has no integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-no-integrity-field-with-cache')).resolves.toBeUndefined());
+});
diff --git a/.../corrupted-meta-empty/.yarn-metadata.json → .../corrupted-meta-empty/.yarn-metadata.json b/.../corrupted-meta-empty/.yarn-metadata.json → .../corrupted-meta-empty/.yarn-metadata.json
diff --git a/...ules/corrupted-meta-not-existing/.gitkeep → ...ules/corrupted-meta-not-existing/.gitkeep b/...ules/corrupted-meta-not-existing/.gitkeep → ...ules/corrupted-meta-not-existing/.gitkeep
diff --git a/...s/corrupted-meta-typo/.yarn-metadata.json → ...s/corrupted-meta-typo/.yarn-metadata.json b/...s/corrupted-meta-typo/.yarn-metadata.json → ...s/corrupted-meta-typo/.yarn-metadata.json
diff --git a/...ood/node_modules/good/.yarn-metadata.json → ...ood/node_modules/good/.yarn-metadata.json b/...ood/node_modules/good/.yarn-metadata.json → ...ood/node_modules/good/.yarn-metadata.json
diff --git a/__tests__/fixtures/install/install-production/yarn.lock b/__tests__/fixtures/install/install-production/yarn.lock
@@ -5,7 +5,9 @@
 is-array@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/is-array/-/is-array-1.0.1.tgz#e9850cc2cc860c3bc0977e84ccf0dd464584279a"
+  integrity sha1-6YUMwsyGDDvAl36EzPDdRkWEJ5o=
 
 left-pad@^1.1.3:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.1.3.tgz#612f61c033f3a9e08e939f1caebeea41b6f3199a"
+  integrity sha1-YS9hwDPzqeCOk58crr7qQbbzGZo=
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha1/package.json b/__tests__/fixtures/install/install-update-auth-cached-sha1/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-cached-sha1",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha1/yarn.lock b/__tests__/fixtures/install/install-update-auth-cached-sha1/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha512/package.json b/__tests__/fixtures/install/install-update-auth-cached-sha512/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-cached-sha1",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha512/yarn.lock b/__tests__/fixtures/install/install-update-auth-cached-sha512/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg=="
diff --git a/...af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json b/...af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
diff --git a/...-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json b/...-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/package.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-invalid-cache-integrity",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/yarn.lock b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
diff --git a/...af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json b/...af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
diff --git a/...-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json b/...-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/package.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-invalid-cache-integrity",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/yarn.lock b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
diff --git a/...1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/.yarn-metadata.json b/...1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/.yarn-metadata.json
diff --git a/...ffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/package.json b/...ffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/package.json
diff --git a/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/package.json b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/package.json
@@ -0,0 +1,9 @@
+{
+  "name": "install-update-auth-no-integrity-field",
+  "version": "1.0.0",
+  "main": "index.js",
+  "license": "MIT",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/yarn.lock b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/yarn.lock
@@ -0,0 +1,7 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/package.json b/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-sha512",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/yarn.lock b/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=
diff --git a/...af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json b/...af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json