Use npm instead to install yarn

[alnorris]

Seems a lot less verbose to just use npm to upgrade to yarn.

[SimenB]

@Daniel15 thoughts on this?

[chorrell]

They specifically recommend against it:

Installation of Yarn via npm is generally not recommended. When installing Yarn with Node-based package managers, the package is not signed, and the only integrity check performed is a basic SHA1 hash, which is a security risk when installing system-wide apps.

For these reasons, it is highly recommended that you install Yarn through the installation method best suited to your operating system.

Via https://yarnpkg.com/en/docs/install#alternatives-stable

The fact that it's not signed is a non-starter and it goes against the guidelines we follow: https://github.com/docker-library/official-images#security

[Daniel15]

I agree that this should not be recommended, particularly in a "best practices" document. This also assumes you have npm installed, which might not always be the case - maybe one day you'll have a Docker image where you only have Node.js and Yarn, without npm. Yarn doesn't actually require npm to be installed.

[SimenB]

Yarn doesn't actually require npm to be installed.

Yarn requires node-gyp from npm, though

[SimenB]

But I think we'll close this. A better upgrade story is hopefully incoming, see #524.

Thanks for the PR!

[Daniel15]

Yarn requires node-gyp from npm, though

Only if:

1. You use packages with native components that aren't available in a precompiled version (node-pre-gyp)
2. The package does not explicitly have a dependency on node-gyp

Ideally packages that use node-gyp should have a dependency on it, and many already do (see https://www.npmjs.com/browse/depended/node-gyp). This avoids the reliance on a global node-gyp installation.