jmagly/yarn-release-age-gate
agentic/code/frameworks/security-engineering/skills/yarn-release-age-gate/SKILL.md
Configure Yarn's npmMinimalAgeGate (7-day default, 10-day high-sensitivity) for JavaScript projects on Yarn 4.x or later. Includes Corepack detection and lockfile-caveat warning.
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg yarn-release-age-gateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 6:27 AM139.2s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- yarn-release-age-gate
- platforms:
- [all]
- description:
- Configure Yarn's npmMinimalAgeGate (7-day default, 10-day high-sensitivity) for JavaScript projects on Yarn 4.x or later. Includes Corepack detection and lockfile-caveat warning.
yarn-release-age-gate
Use this skill when a user has chosen Yarn (Berry / v2+, current line
v4.x) as their package manager and wants release-age-gate hardening
parallel to what npm-release-age-gate and pnpm-release-age-gate
provide for their respective ecosystems.
Triggers
- "yarn release age gate"
- "yarn npmMinimalAgeGate"
- "yarn 4 supply chain"
- "yarn berry hardening"
Prerequisites
- Yarn 4.0+ (Berry) installed (
yarn --version) package.jsonexists at repo root.yarnrc.ymlexists (or will be created) — Berry's config file
If Yarn is below v4.0, the skill should refuse to proceed:
npmMinimalAgeGate was introduced in v4.0 and earlier Berry versions
(v2.x, v3.x) silently ignore the setting. Yarn Classic (v1.x) does
not support a release-age gate at all — recommend migration to Berry
or to pnpm/npm.
Configuration
Add the gate to .yarnrc.yml at repo root:
# Yarn 4.x release-age gate.
# Uses duration shorthand: 7d, 10d, 14d, 30d.
# Defends against newly-published malicious versions.
npmMinimalAgeGate: 7d
# High-sensitivity profile (use for publish-prep or major version bumps):
# npmMinimalAgeGate: 10d
Yarn accepts the value as a duration string (Nd for days, Nh
for hours), which is cleaner than npm's days-as-bare-int and pnpm's
minutes-as-int. Document the chosen value inline.
Per-environment override (optional)
For CI-only enforcement (e.g., tighter gate in publish workflows than in local dev):
# .yarnrc.yml — apply 10d gate when running on CI, 7d locally
npmMinimalAgeGate:
exclude:
- pattern: "@your-scope/*" # internal packages — gate doesn't apply
default: 7d
override:
- if: "$YARN_ENABLE_STRICT_AGE_GATE"
value: 10d
Environment-conditional values are a Yarn 4 advantage over npm and pnpm (which require workflow-level wrapping).
Lockfile caveat
The gate is checked at resolution time. If yarn.lock was generated
without the gate, the gate applies on the NEXT resolution pass — not
retroactively.
To apply the gate retroactively:
# Force re-resolution
rm yarn.lock
yarn install
This is destructive to existing pins. Coordinate before running.
Corepack detection
Check whether the project pins a Yarn version via Corepack:
node -p "require('./package.json').packageManager"
Output like [email protected] means Corepack will use that exact version
in CI. The skill should:
- Confirm pinned version is ≥ v4.0 (else flag — gate is silently ignored on Berry v2/v3)
- Document the pinned version
- Suggest a Corepack pin if the project doesn't have one:
corepack use yarn@stable # writes packageManager to package.json
Override policy
Genuine emergency overrides:
# Bypass the gate for a single install (rare)
YARN_NPM_MINIMAL_AGE_GATE=0 yarn add <pkg>
Document every override with reason + sunset date. Add the package
to the .yarnrc.yml exclude list if the bypass needs to persist
across installs.
CI integration
Add a verification step to the publish/build workflow:
- name: Verify Yarn gate active
run: |
set -euo pipefail
GATE=$(yarn config get npmMinimalAgeGate 2>/dev/null || echo "")
if [ -z "$GATE" ]; then
echo "✗ Yarn npmMinimalAgeGate is unset"
exit 1
fi
echo "✓ Yarn npmMinimalAgeGate = $GATE"
What to inspect during review
.yarnrc.ymlfornpmMinimalAgeGatepackage.jsonpackageManagerfield for Corepack pin- CI workflow has the verification step above
yarn.lockwas generated AFTER the gate was committed
Output format
When auditing an existing Yarn project, produce a structured report
at .aiwg/security/working/yarn-release-age-audit.md:
# Yarn Release-Age Gate Audit
**Yarn version**: <version> (Corepack pinned: yes/no)
**Gate active**: yes (7d) / yes (10d) / yes (custom: <value>) / no
**Exclude list**: <list of excluded packages>
## Findings
### <severity> — <description>
- File: <path>
- Issue: <what's wrong>
- Fix: <exact change>
## Clean Checks
- ...
## Recommendations
- ...
See Also
npm-release-age-gateskill — npm equivalentpnpm-release-age-gateskill — pnpm equivalentbun-release-age-gateskill — Bun equivalentnpm-supply-chain-auditskill — companion auditsupply-chain-hardening-quickstartskill — orchestrator
References
- Yarn
npmMinimalAgeGate: https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate - Yarn Berry (v4) docs: https://yarnpkg.com/getting-started
- Corepack: https://github.com/nodejs/corepack
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026