As part of the Artifact Registry project, Product Security and Secure Flow conducted an audit of package managers used in Red Hat builds. You are receiving this message because your product has been identified as currently using Yarn Classic (v1) for Node.js content installation.

Migration from Yarn Classic to Yarn v4 or NPM is required by end of Q1 2026

Why is this migration necessary?

Close to End of Life: Yarn Classic entered maintenance mode in January 2020. It currently receives only critical and security fixes, with no new feature development.

Konflux Hermetic Support: Supporting Yarn Classic in Konflux Hermetic generates significant maintenance overhead and technical friction.

Supply Chain Security: phasing out Yarn Classic will allow Red Hat to accelerate improvements to our overall company supply chain security.

Policy Considerations

Red Hat portfolio must be built in a hermetic way and by using contented from the central Artifact Registry, which is defined in Red Hat build and release standard:
PSS.SBR.02.03
PSS.SBR.02.04
Yarn v1 is not in scope of Artifact Registry project, due to above reasons, hence continued usage Yarn v1 means violations of two Red Hat build and release standard requirements.

What do you need to do?

Please prioritize this migration in your upcoming sprints. You can find the official migration guide from the Yarn ecosystem here: https://yarnpkg.com/migration/overview

Need help? Contact [Product Security / Secure Flow team / Slack channel] for migration assistance.

Thank you for your cooperation in making our build environment more secure and efficient.

Best regards,