## What's the problem this PR addresses?

I'm looking at migrating to TypeScript-go whenever it supports PnP; to
that end we first need to upgrade to the latest stable TypeScript
releases.

## How did you fix it?

Mostly just a matter of upgrading `@types/node` and updating the various
types in FakeFS that got changed.

## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.

## What's the problem this PR addresses?

This PR updates the tests to account for changes in the v5+ releases,
which will use `--theirs` as merge conflict resolution strategy to fix
bugs in which users could end up erasing changes from the upstream
branch when merging their own changes (due to us trying to override
existing ranges).

## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.

## What's the problem this PR addresses?

Our tests weren't covering the default configuration, when
`supportedArchitectures` wasn't set. This is fixed by adding new
`YARN_CPU_OVERRIDE` and `YARN_OS_OVERRIDE` test variables.

## What's the problem this PR addresses?

In the JSON schema for Yarn configuration, the `enableScripts` property
contained a typo: the key `"title"` was misspelled as `"titke"`. This
caused the documentation generator to not correctly display the title
for this setting.

## How did you fix it?

I corrected the typo by changing the key from `"titke"` to `"title"` in
the `enableScripts` schema entry. This ensures that documentation tools
recognize and display the title properly.

| Before | After |
|:------:|:-----:|
| <img width="1188" height="237" alt="스크린샷 2025-08-31 오후 7 50
58"
src="https://github.com/user-attachments/assets/c22d0b80-b9d6-416d-95a2-01112abe9a08"
/> | <img width="1190" height="294" alt="스크린샷 2025-08-31 오후 7 50
49"
src="https://github.com/user-attachments/assets/9441ccdc-071e-4f07-a8a6-a442c8659869"
/>|


## Checklist

- [X] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).
- [ ] I have set the packages that need to be released for my changes to
be effective.
- [ ] I will check that all automated PR checks pass before the PR gets
reviewed.

## What's the problem this PR addresses?

Resolves: #6400 by implementing
basic support for using catalog

This PR implements catalog via the project configuration `yarnrc.yml`.
We are opting for it instead of `package.json` to prevent adding
complexity in situations where catalogs with the same name could be
implemented at different scopes. Named catalogs should be able to
address most of use cases.

## How did you fix it?

- Adds support for base catalog and named catalogs by:
- Implements a new plugin-catalog that hooks into `reduceDependency` and
replaces catalog ranges with the ones defined in a catalog
- Hooks into `beforeWorkspacePacking` replacing catalogs with actual
ranges before packing
- Adds relevant unit and integration tests

## QA Instructions

- Edit and play with the catalog definition on `.yarnrc.yml` and run
`yarn` to see error scenarios (by removing entries or naming then
incorrectly), changing versions, etc.


https://github.com/user-attachments/assets/29decd4f-d6a1-4a5e-b8d4-811e3730df2c

- When running `yarn pack`, the resulting package should have no
references to `catalog:` on package.json files.

## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.

---------

Co-authored-by: Maël Nison <[email protected]>

…ig options (#6901)

## What's the problem this PR addresses?

closes #6899. See rationale in pnpm/pnpm#9921
and pnpm/pnpm#9957, but the tl;dr is that with
the recent uptick in compromised npm packages, this can offer some level
of protection to prevent end-users from installing malware prior to
detection and removal from registries.

There are a few differences from the pnpm implementation. I felt these
differences made sense with some of the other features `yarn` supports,
but I also understand the desire for parity between package managers, so
open to thoughts there.

1. `npm` added in the option names (`npmMinimumReleaseAge` versus
`minimumReleaseAge`). Since yarn implements many resolvers and this is
only implemented in the case of the npm resolver, I felt that this made
the behavior of the options more clear.
2. `npmMinimumReleaseAgeExclude` supports not only package names like
pnpm's implementation, but it also supports:
- exact match on package locators (i.e. exact package resolutions --
like `@aws-sdk/[email protected]` or `@aws-sdk/types@npm:3.877.0`)
- micromatch glob patterns on package descriptors (i.e. semver
descriptors -- like `@aws-sdk/types@^3.0.0`,
`@aws-sdk/types@npm:^3.0.0`, `@aws-sdk/types@*` or `@aws-sdk/*`)

The rationale here is mostly in the case that you know certain package
versions that are affected (e.g. `[email protected]`) or if you need to
upgrade to an excluded version, but its part of a monorepo -- that's
where the micromatch glob comes in handy.

## How did you fix it?

I added the options and checked for them within the NPM semver resolver
when evaluating candidates. I'm new to this codebase -- I think I've
made all the updates needed and was able to test some scenarios
successfully (see below).

### Testing manually

<spoiler>

<details>
I used `@aws-sdk/[email protected]` to test. At the time of writing, this
package was published 7742 minutes ago, which is less than 10000 minutes
(used in configurations below).

#### `yarn add @aws-sdk/[email protected]` fails ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
```

install command
```bash
❯ yarn add @aws-sdk/[email protected]
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0082: │ @aws-sdk/types@npm:3.887.0: No candidates found
➤ YN0000: └ Completed
➤ YN0000: · Failed with errors in 0s 11ms
```

#### `yarn add @aws-sdk/types@^3.0.0` resolves prior version ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
```

install command
```bash
❯ yarn add @aws-sdk/types@^3.0.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.862.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed in 0s 237ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 271ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.862.0 (via npm:^3.0.0)
```

#### `yarn add @aws-sdk/types@^3.0.0` resolves most recent version with
package exclude = `@aws-sdk/types` ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
npmMinimumReleaseAgeExclude:
  - "@aws-sdk/types"
```

install command - installs `@aws-sdk/[email protected]` ✅ 
```bash
❯ yarn add @aws-sdk/types@^3.0.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.887.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed in 0s 237ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 265ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.887.0 (via npm:^3.0.0)
```

#### `yarn add @aws-sdk/types@^3.0.0` resolves most recent version with
package exclude = `@aws-sdk/*` ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
npmMinimumReleaseAgeExclude:
  - "@aws-sdk/*"
```

install command - installs `@aws-sdk/[email protected]` ✅ 
```bash
❯ yarn add @aws-sdk/types@^3.0.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.887.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed in 0s 205ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 232ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.887.0 (via npm:^3.0.0)
```

#### `yarn add @aws-sdk/types@^3.0.0` resolves most recent version with
package exclude = `@aws-sdk/[email protected]` ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
npmMinimumReleaseAgeExclude:
  - "@aws-sdk/[email protected]"
```

install command - installs `@aws-sdk/[email protected]` ✅ 
```bash
❯ yarn add @aws-sdk/types@^3.0.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.887.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed in 0s 292ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 324ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.887.0 (via npm:^3.0.0)
```

#### `yarn add @aws-sdk/types@^3.0.0` resolves most recent version with
package exclude = `@aws-sdk/types@^3.0.0` ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
npmMinimumReleaseAgeExclude:
  - "@aws-sdk/types@^3.0.0"
```

install command - installs `@aws-sdk/[email protected]` ✅ 
```bash
❯ yarn add @aws-sdk/types@^3.0.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.887.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed in 0s 248ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 278ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.887.0 (via npm:^3.0.0)
```

#### `yarn add @aws-sdk/types@^3.5.0` resolves prior version with
package exclude = `@aws-sdk/types@^3.0.0` ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
npmMinimumReleaseAgeExclude:
  - "@aws-sdk/types@^3.0.0"
```

install command - installs `@aws-sdk/[email protected]` ✅ 
```bash
❯ yarn add @aws-sdk/types@^3.5.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.862.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed in 0s 219ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 256ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.862.0 (via npm:^3.5.0)
```


#### `yarn add @aws-sdk/types@^3.5.0` resolves prior version with
package exclude = `@aws-sdk/types@npm:^3.0.0` ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
npmMinimumReleaseAgeExclude:
  - "@aws-sdk/types@npm:^3.0.0"
```

install command - installs `@aws-sdk/[email protected]` ✅ 
```bash
❯ yarn add @aws-sdk/types@^3.5.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.862.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 223ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.862.0 (via npm:^3.5.0)
```

#### `yarn add @aws-sdk/types@^3.0.0` resolves most recent version with
package exclude = `@aws-sdk/types@npm:^3.0.0` ✅

`.yarnrc.yml`

```yaml
npmMinimumReleaseAge: 10000
npmMinimumReleaseAgeExclude:
  - "@aws-sdk/types@npm:^3.0.0"
```

install command - installs `@aws-sdk/[email protected]` ✅ 
```bash
❯ yarn add @aws-sdk/types@^3.0.0
➤ YN0000: · Yarn 4.9.4-git.20250917.hash-a05df867e
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-sdk/types@npm:3.887.0, @smithy/types@npm:4.5.0, tslib@npm:2.8.1
➤ YN0000: └ Completed in 0s 239ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed
➤ YN0000: · Done in 0s 269ms
❯ yarn why @aws-sdk/types
└─ test-yarn-project@workspace:.
   └─ @aws-sdk/types@npm:3.887.0 (via npm:^3.0.0)
```
</details>

</spoiler>


## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.

---------

Co-authored-by: Maël Nison <[email protected]>

## What's the problem this PR addresses?

Resolves #6831

## How did you fix it?

Implementation adapted from
https://github.com/npm/cli/blob/7d900c4656cfffc8cca93240c6cda4b441fbbfaa/lib/utils/oidc.js

- [x] ~~I'll test publishing with a dummy package.~~
Tested at
https://github.com/cometkim/npgi/actions/runs/17703091184/job/50311171040

You can check the published package and the provenance here:
https://www.npmjs.com/package/npgi

~~Note: it doesn't work with the Yarn registry proxy, so it requires
setting `publishConfig.registry` to `"https://registry.npmjs.org"`~~
Fixed.

## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.

---------

Co-authored-by: Maël Nison <[email protected]>

| Package name | Version |
| --- | --- |
| `@yarnpkg/cli` | `4.10.0` |
| `@yarnpkg/plugin-npm` | `3.3.0` |
| `@yarnpkg/core` | `4.4.4` |
| `@yarnpkg/plugin-essentials` | `4.4.4` |
| `@yarnpkg/pnp` | `4.1.2` |
| `@yarnpkg/plugin-npm-cli` | `4.3.0` |
| `@yarnpkg/builder` | `4.2.3` |
| `@yarnpkg/doctor` | `4.0.5` |
| `@yarnpkg/eslint-config` | `3.1.0` |
| `@yarnpkg/fslib` | `3.1.3` |
| `@yarnpkg/libzip` | `3.2.2` |
| `@yarnpkg/plugin-nm` | `4.0.8` |
| `@yarnpkg/plugin-pnp` | `4.1.2` |
| `@yarnpkg/pnpify` | `4.1.6` |
| `@yarnpkg/plugin-catalog` | `1.0.0` |
| `@yarnpkg/plugin-pack` | `4.0.3` |