[2022-10-20]: Dependabot updates for Yarn v3 - [GA] (#31471)

Co-authored-by: Jurre <jurre@github.com>
2022-10-20 18:24:05 +02:00 · 2022-10-20 18:24:05 +02:00 · 0e03452f9c
--- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
+++ b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
@ -860,7 +860,7 @@ registries:

 The `npm-registry` type supports username and password, or token.

-When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password.
+When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password. 

 {% raw %}
 ```yaml
@ -882,6 +882,8 @@ registries:
    token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
 ```
 {% endraw %}
+{% ifversion dependabot-yarn-v3-update %}
+For security reasons, {% data variables.product.prodname_dependabot %} does not set environment variables. Yarn (v2 and later) requires that any accessed environment variables are set. When accessing environment variables in your `.yarnrc.yml` file, you should provide a fallback value such as {% raw %}`${ENV_VAR-fallback}`{% endraw %} or {% raw %}`${ENV_VAR:-fallback}`{% endraw %}. For more information, see [Yarnrc files](https://yarnpkg.com/configuration/yarnrc) in the Yarn documentation.{% endif %}

 ### `nuget-feed`

--- a/data/features/dependabot-yarn-v3-update.yml
+++ b/data/features/dependabot-yarn-v3-update.yml
@ -0,0 +1,7 @@
+# Reference: issue  #8323
+# Updating supported versions of yarn
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.8'
+  ghae: '>= 3.8'
--- a/data/reusables/dependabot/supported-package-managers.md
+++ b/data/reusables/dependabot/supported-package-managers.md
@ -25,7 +25,8 @@ pip-compile    | `pip`            | 6.1.0            | | **✓** | |
 poetry         | `pip`            | v1               | | **✓** | |{% ifversion fpt or ghec or ghes > 3.4 %}
 pub            | `pub`            | v2 <sup>[4]</sup> | | | |{% endif %}
 Terraform      | `terraform`      | >= 0.13, <= 1.2.x  | **✓** | **✓** | |
-yarn           | `npm`            | v1               | **✓** | **✓** | |
+{% ifversion dependabot-yarn-v3-update %}yarn           | `npm`            | v1, v2, v3       | **✓** | **✓** | **✓**<sup>[5]</sup> |{% else %}yarn           | `npm`            | v1               | **✓** | **✓** |  |
+{% endif %}

 {% tip %}

@ -47,3 +48,6 @@ yarn           | `npm`            | v1               | **✓** | **✓** | |
   For information about configuring your _dependabot.yml_ file for `pub`, see "[Enabling support for beta-level ecosystems](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#enable-beta-ecosystems)."
   {%- else %}{% data variables.product.prodname_dependabot %} won't perform an update for `pub` when the version that it tries to update to is ignored, even if an earlier version is available.{% endif %}
 {% endif %} 
+
+{% ifversion dependabot-yarn-v3-update %}
+[5] Dependabot supports vendored dependencies for v2 onwards.{% endif %}