Cloudflare security incident and impact on Yarn users

Posted Feb 24, 2017 by Sebastian McKenzie

Yarn uses its own proxy to the npm registry in order to allow us to experiment with the way the Yarn client works and allow optimizations in the future around how packages are resolved. This registry is used by all Yarn users by default.

In order to do this we use the popular service, Cloudflare, which is used by thousands of companies and who had offered to work with us to make Yarn installs faster globally.

Recently it was reported that Cloudflare had a serious bug that was leading to requests from other websites being leaked into HTTP responses.

When it comes to registry authentication, the Yarn client differs from the npm client in that when we perform authentication we do not store the resulting token and invalidate it after it’s used.

However, Yarn still allows you to login with your npm account to perform actions such as publishing and downloading private packages. Out of the 70 million requests performed daily we only get 10-30 requests that involve registry authentication. This means that for these requests there was the possibility of user passwords being leaked.

Since the Cloudflare announcement we’ve been in contact and have been assured that Yarn has not been affected and no Yarn users data has been leaked. Even with this assurance we’d recommend that if you’re one of those 30 people a day using Yarn for registry authentication that you reset your password as a precautionary measure.

As a result of this we’re evaluating our security policy and have created a new email address security@yarnpkg.com that can be used to report security vulnerabilities without going through the public issue tracker. We’re also in the process of setting up a HackerOne account and will make an announcement when this is available.

We’d like to apologize for this disruption and want to reaffirm our commitment to security and transparency in cases like these.