Problem/Motivation

Drupal's JavaScript dependencies are listed in core/package.json, but they are also committed to the repository. package.json is only needed by core developers who want to change dependencies, or developers who want to install the same versions of linting tools that are used by core.

I don't see why we should ship package.json with drupal/core. One reason to explicitly not ship this file is that vulnerability scanners often pick up problems with insecure dependencies, but the dependencies often aren't used or even available at runtime.

We don't ship a composer.lock with drupal/core, so why do we ship a yarn.lock there?

Steps to reproduce

Proposed resolution

Move package.json and yarn.lock to the repository root.

Remaining tasks

Decide what to do with ESLint/Stylelint/CSpell and their configuration files.

Figure out if there are any other problems with doing this.

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

longwave created an issue. See original summary.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Related issues: +#3562214: Upgrade glob because of CVE-2025-64756

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.