yarn

Runtime · Build tool · standard · v1

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Node base with Yarn preinstalled. Use it as the build stage for Yarn projects. Lines 1 (classic) and 4 (berry).

Image

ghcr.io/quenchworks/images/yarn:1

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

59.9 MB

SBOM packages

190

Last rebuilt

2026-06-12

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/yarn:1

Or pull it directly

docker pull ghcr.io/quenchworks/images/yarn:1

Version line: 1
Latest line: 1
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: BSD-2-Clause

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/yarn:1 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/yarn:1 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/yarn:1 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Node app → Image source

Best-practice Dockerfile for 1

Yarn Classic leads: preinstalled on the yarn base, it installs the production-only dependency set and builds, then a clean node base receives only the prod node_modules and the built output.

ghcr.io/quenchworks/images/yarn:1 59.9 MB rebuilt 3 days ago 190 SBOM pkgs

1
# Build stage: Yarn (Classic) installs the full set and builds.
2
FROM ghcr.io/quenchworks/images/yarn:1 AS build
3
USER root
4
WORKDIR /app
5
ENV YARN_CACHE_FOLDER=/tmp/yarn
6

7
COPY package.json yarn.lock ./
8
RUN ["yarn", "install", "--frozen-lockfile"]
9
COPY . .
10
RUN ["yarn", "build"]
11

12
# Prod-deps stage: a clean install of production dependencies only.
13
FROM ghcr.io/quenchworks/images/yarn:1 AS prod-deps
14
USER root
15
WORKDIR /app
16
ENV YARN_CACHE_FOLDER=/tmp/yarn
17
COPY package.json yarn.lock ./
18
RUN ["yarn", "install", "--frozen-lockfile", "--production"]
19

20
# Runtime stage: prod node_modules + built dist on a slim node base, nonroot.
21
FROM ghcr.io/quenchworks/images/node:24 AS runtime
22
WORKDIR /app
23
ENV NODE_ENV=production
24
COPY --from=prod-deps /app/node_modules ./node_modules
25
COPY --from=build /app/dist ./dist
26
COPY --from=build /app/package.json ./package.json
27
USER 1001
28
EXPOSE 3000
29
CMD ["node", "dist/server.js"]

This Dockerfile is pinned to the 1 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Node app guide.

Upstream project: https://yarnpkg.com