Migrate to modern Yarn 4.x or remove

[ms-ati]

Problem

Yarn v1 is included in the docker-node images, however it is receiving only limited security updates and the guidance has been to migrate to modern Yarn since 2020.

Especially for smaller images like Alpine, this dependency contributes to the size of the base, but seems unlikely to be used widely.

Solution

Remove the installation of Yarn v1 from the docker-node base images. Document best ways to then add Yarn v1 if needed.

Alternatives to Consider

1. Take an ARG to the base image which chooses a Yarn version to isntall
2. Add a docker variant no-yarn which does not contain yarn, but continue to install on other variants
3. Continue as-is installing Yarn 1.22 on all docker-node images

[MikeMcC399]

@ms-ati

Yarn Classic v1 is a bit of an anomaly! As you say, it's unsupported, however it has not been declared end-of-life and download numbers are still increasing.

• See Lifecycle planning / end-of-life? yarnpkg/yarn#9062

I assume that the complexity of migrating from Yarn Classic v1 to Yarn Modern with pnp and Corepack technologies have been a barrier.

At this time probably continuing "as-is" is the right decision.

[mkesper]

PLEASE add at least an argument for the YARN version. I'm right now copying the whole base Dockerfile into my repo to evade the absolute nightmare of not being able to override the "global package manager definition". Corepack is absolutely no help here at all as it always defaults to the preinstalled yarn1.22.22.

[MikeMcC399]

@mkesper

Which version of Yarn do you want to use and which Docker Node.js version are you using? I would expect the version of Yarn Modern to be in the package.json file in the packageManager field, for example:

  "packageManager": "yarn@4.9.2+sha512.1fc009bc09d13cfd0e19efa44cbfc2b9cf6ca61482725eb35bbc5e257e093ebf4130db6dfe15d604ff4b79efd8e1e8e99b25fa7d0a6197c9f9826358d4d65c3c"

That would get picked up if you have the following in your Dockerfile:

RUN corepack enable yarn