Takumi Guard: Yarn v1 Lockfile Behavior Change for Reliable Package Blocking

April 9, 2026 · One min read

Software Engineer @ GMO Flatt Security Inc.

Takumi Guard now handles requests from Yarn clients differently to ensure package blocking works reliably regardless of Yarn version. Yarn v1 users will see Takumi Guard's registry URL in their yarn.lock files.

Overview

To ensure that blocked packages remain blocked across all Yarn versions, Takumi Guard now processes package metadata differently for Yarn clients. This strengthens policy enforcement so that packages flagged by your organization's policies cannot bypass blocking through lockfile-based resolution.

What Changes

Yarn v1

After this change, yarn.lock entries will contain Takumi Guard's registry URL instead of the upstream registry URL. This is expected behavior and cannot be avoided — it is necessary to ensure that blocked packages are consistently enforced when resolved through the lockfile.

Yarn v2–v4 (Berry)

Yarn v2–v4 users are not affected by this lockfile change.

npm, pnpm, and Bun

No change. These package managers are unaffected.

Recommendation

For new projects, we recommend using pnpm over Yarn. pnpm works seamlessly with Takumi Guard and offers strong supply chain security features out of the box.

Overview​

What Changes​

Yarn v1​

Yarn v2–v4 (Berry)​

npm, pnpm, and Bun​

Recommendation​