[2022-10-20]: Dependabot updates for Yarn v3 - [GA] (github#31471)

am-stead · jurre · web-flow · commit 0e03452f9c9e · 2022-10-20T16:24:05.000Z
Co-authored-by: Jurre &lt;jurre@github.com&gt;
diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
@@ -860,7 +860,7 @@ registries:
 
 The `npm-registry` type supports username and password, or token.
 
-When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password.
+When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password. 
 
 {% raw %}
 ```yaml
@@ -882,6 +882,8 @@ registries:
     token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
 ```
 {% endraw %}
+{% ifversion dependabot-yarn-v3-update %}
+For security reasons, {% data variables.product.prodname_dependabot %} does not set environment variables. Yarn (v2 and later) requires that any accessed environment variables are set. When accessing environment variables in your `.yarnrc.yml` file, you should provide a fallback value such as {% raw %}`${ENV_VAR-fallback}`{% endraw %} or {% raw %}`${ENV_VAR:-fallback}`{% endraw %}. For more information, see [Yarnrc files](https://yarnpkg.com/configuration/yarnrc) in the Yarn documentation.{% endif %}
 
 ### `nuget-feed`
 
diff --git a/data/features/dependabot-yarn-v3-update.yml b/data/features/dependabot-yarn-v3-update.yml
@@ -0,0 +1,7 @@
+# Reference: issue  #8323
+# Updating supported versions of yarn
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.8'
+  ghae: '>= 3.8'
diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md
@@ -25,7 +25,8 @@ pip-compile    | `pip`            | 6.1.0            | | **✓** | |
 poetry         | `pip`            | v1               | | **✓** | |{% ifversion fpt or ghec or ghes > 3.4 %}
 pub            | `pub`            | v2 <sup>[4]</sup> | | | |{% endif %}
 Terraform      | `terraform`      | >= 0.13, <= 1.2.x  | **✓** | **✓** | |
-yarn           | `npm`            | v1               | **✓** | **✓** | |
+{% ifversion dependabot-yarn-v3-update %}yarn           | `npm`            | v1, v2, v3       | **✓** | **✓** | **✓**<sup>[5]</sup> |{% else %}yarn           | `npm`            | v1               | **✓** | **✓** |  |
+{% endif %}
 
 {% tip %}
 
@@ -47,3 +48,6 @@ yarn           | `npm`            | v1               | **✓** | **✓** | |
    For information about configuring your _dependabot.yml_ file for `pub`, see "[Enabling support for beta-level ecosystems](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#enable-beta-ecosystems)."
    {%- else %}{% data variables.product.prodname_dependabot %} won't perform an update for `pub` when the version that it tries to update to is ignored, even if an earlier version is available.{% endif %}
 {% endif %} 
+
+{% ifversion dependabot-yarn-v3-update %}
+[5] Dependabot supports vendored dependencies for v2 onwards.{% endif %}
