AWS Security ChangesHomeSearch

AWS codeartifact medium security documentation change

Service: codeartifact · 2026-07-10 · Security-related medium

File: codeartifact/latest/ug/npm-yarn.md

Summary

Added note about authentication requirement for unscoped packages with Yarn

Security assessment

Documents authentication failure scenario (401 errors) that could expose dependency management vulnerabilities. Explicitly addresses security misconfiguration.

Diff

diff --git a/codeartifact/latest/ug/npm-yarn.md b/codeartifact/latest/ug/npm-yarn.md
index ee103984b..5f756309e 100644
--- a//codeartifact/latest/ug/npm-yarn.md
+++ b//codeartifact/latest/ug/npm-yarn.md
@@ -56 +56,5 @@ The default authorization period after calling `login` is 12 hours, and `login`
-  4. **For npm 7.X and 8.X** , you must add `always-auth=true` to your ~/.npmrc file to use Yarn.
+  4. **For npm 7 and higher** , you must add `always-auth=true` to your ~/.npmrc file to use Yarn.
+
+###### Note
+
+Without `always-auth=true`, Yarn 1.X only sends authentication credentials for scoped package requests (for example, `@scope/package`). Requests for unscoped packages (for example, `lodash`) will fail with a 401 Unauthenticated error because Yarn does not include the authorization header.