diff --git a/.circleci/config.yml b/.circleci/config.yml
index bd6f6f0dd9..73cd559039 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -7,7 +7,7 @@ docker_defaults: &docker_defaults
 
 macos_defaults: &macos_defaults
   macos:
-    xcode: "9.0"
+    xcode: "11.0"
   working_directory: ~/project/yarn
 
 attach_workspace: &attach_workspace
@@ -122,6 +122,16 @@ jobs:
           root: ~/project
           paths:
             - yarn
+  test-pkg-tests-linux-node13:
+    <<: *docker_defaults
+    docker:
+      - image: node:13
+    <<: *pkg_tests
+  test-pkg-tests-linux-node12:
+    <<: *docker_defaults
+    docker:
+      - image: node:12
+    <<: *pkg_tests
   test-pkg-tests-linux-node10:
     <<: *docker_defaults
     docker:
@@ -130,8 +140,20 @@ jobs:
   test-pkg-tests-linux-node8:
     <<: *docker_defaults
     <<: *pkg_tests
+  test-linux-node13:
+    <<: *docker_defaults
+    docker:
+      - image: node:13
+    <<: *test_steps
+  test-linux-node12:
+    <<: *docker_defaults
+    docker:
+      - image: node:12
+    <<: *test_steps
   test-linux-node10:
     <<: *docker_defaults
+    docker:
+      - image: node:10
     <<: *test_steps
   test-linux-node8:
     <<: *docker_defaults
@@ -155,7 +177,6 @@ jobs:
           name: Install Node 10
           command: |
             brew uninstall --ignore-dependencies node
-            brew update
             HOMEBREW_NO_AUTO_UPDATE=1 brew install node@10
             brew link --overwrite --force node@10
             [[ $(node --version) =~ ^v10\. ]]
@@ -177,6 +198,8 @@ jobs:
       - *test_run
   test-macos-node6:
     <<: *macos_defaults
+    macos:
+      xcode: "9.0"
     steps:
       - run:
           name: Install Node 6
@@ -248,6 +271,14 @@ workflows:
           filters: *default_filters
           requires:
             - install
+      - test-pkg-tests-linux-node13:
+          filters: *default_filters
+          requires:
+            - install
+      - test-pkg-tests-linux-node12:
+          filters: *default_filters
+          requires:
+            - install
       - test-pkg-tests-linux-node10:
           filters: *default_filters
           requires:
@@ -256,6 +287,14 @@ workflows:
           filters: *default_filters
           requires:
             - install
+      - test-linux-node13:
+          filters: *default_filters
+          requires:
+            - install
+      - test-linux-node12:
+          filters: *default_filters
+          requires:
+            - install
       - test-linux-node10:
           filters: *default_filters
           requires:
@@ -294,8 +333,12 @@ workflows:
             branches:
               ignore: /.*/
           requires:
+            - test-pkg-tests-linux-node13
+            - test-pkg-tests-linux-node12
             - test-pkg-tests-linux-node10
             - test-pkg-tests-linux-node8
+            - test-linux-node13
+            - test-linux-node12
             - test-linux-node10
             - test-linux-node8
             - test-linux-node6
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
deleted file mode 100644
index 706bde4eb4..0000000000
--- a/.github/ISSUE_TEMPLATE.md
+++ /dev/null
@@ -1,13 +0,0 @@
-<!-- *Before creating an issue please make sure you are using the latest version of yarn.* -->
-
-**Do you want to request a *feature* or report a *bug*?**
-<!-- Is the feature a substantial feature request? Please use https://github.com/yarnpkg/rfcs -->
-
-**What is the current behavior?**
-
-**If the current behavior is a bug, please provide the steps to reproduce.**
-<!-- If you can, provide a link to a public repository which contains the files necessary to reproduce this. -->
-
-**What is the expected behavior?**
-
-**Please mention your node.js, yarn and operating system version.**
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 0000000000..175b23fb5b
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,47 @@
+---
+name: Bug report
+about: Create a report
+---
+
+<!-- 
+
+1. Please read our Rules of Conduct: https://github.com/yarnpkg/yarn/blob/master/CODE_OF_CONDUCT.md
+
+2. Please search existing issues to avoid creating duplicates. Duplicates will be closed.
+
+3. Currently, not accepting any new feature requests. Please head over to https://github.com/yarnpkg/berry for new feature requests.
+
+-->
+
+
+<!-- Please fill out all sections. Issues with this not compeleted will be closed. --->
+
+
+### Bug description
+<!-- Any context around the issue or bug is helpful. -->
+
+**Command**
+
+```sh
+yarn [your command]
+```
+
+**What is the current behavior?**
+<!-- Describe how yarn is currently functioning with respect to the bug. -->
+
+
+**What is the expected behavior?**
+<!-- Describe how you expect it to work -->
+
+
+**Steps to Reproduce**
+<!-- If you can, provide a link to a public repository which contains the files necessary to reproduce this. -->
+
+1. 
+2.
+
+**Environment**
+
+- Node Version: `x.x.x`
+- Yarn v1 Version: `1.x.x` 
+- OS and version: 
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
new file mode 100644
index 0000000000..89e05efb1a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,6 @@
+
+blank_issues_enabled: false
+contact_links:
+  - name: Yarn v1 documentation
+    url:  https://legacy.yarnpkg.com/en/docs
+    about: Please visit the documentation for v1.x.x before opening a bug report
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c45b7398fa..87656a692d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,114 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 
 ## Master
 
+- Passes arguments following `--` when running a workspace script (`yarn workspace pkg run command -- arg`)
+
+  [#7776](https://github.com/yarnpkg/yarn/pull/7776) - [**Jeff Valore**](https://twitter.com/rally25rs)
+
+- Prints workspace names with `yarn workspaces` (silence with `-s`)
+
+  [#7722](https://github.com/yarnpkg/yarn/pull/7722) - [**Orta**](https://twitter.com/orta)
+
+- Implements `yarn init --install <version>`
+
+  [#7723](https://github.com/yarnpkg/yarn/pull/7723) - [**Maël Nison**](https://twitter.com/arcanis)
+  
+- Implements `yarn init -2`
+
+  [#7862](https://github.com/yarnpkg/yarn/pull/7862) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Implements `yarn set version <version>` as an alias for `policies set-version`
+
+  [#7862](https://github.com/yarnpkg/yarn/pull/7862) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Fixes an issue where the archive paths were incorrectly sanitized
+
+  [#7831](https://github.com/yarnpkg/yarn/pull/7831) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Allows some dots in binary names again
+
+  [#7811](https://github.com/yarnpkg/yarn/pull/7811) - [**Valery Bugakov**](https://github.com/valerybugakov)
+  
+- Better error handling on `yarn set version`
+
+  [#7848](https://github.com/yarnpkg/yarn/pull/7848) - [**Nick Olinger**](https://github.com/olingern)
+
+## 1.19.2
+
+- Folders like `.cache` won't be pruned from the `node_modules` after each install.
+
+  [#7699](https://github.com/yarnpkg/yarn/pull/7699) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Correctly installs workspace child dependencies when workspace child not symlinked to root.
+
+  [#7289](https://github.com/yarnpkg/yarn/pull/7289) - [**Daniel Tschinder**](https://github.com/danez)
+
+- Makes running scripts with Plug'n Play possible on node 13.
+
+  [#7650](https://github.com/yarnpkg/yarn/pull/7650) - [**Sander Verweij**](https://github.com/sverweij)
+
+- Change run command to check cwd/node_modules/.bin for commands. Fixes run in workspaces.
+
+  [#7151](https://github.com/yarnpkg/yarn/pull/7151) - [**Jeff Valore**](https://twitter.com/codingwithspike)
+
+## 1.19.1
+
+**Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
+
+- Computes the `--modules-folder` & friends paths based on the cwd.
+
+  [#7607](https://github.com/yarnpkg/yarn/pull/7607) - [**mbpreble**](https://github.com/mbpreble)
+
+- Stores the sha512 in the cache even when not provided by the server.
+
+  [#7591](https://github.com/yarnpkg/yarn/pull/7591) - [**Maël Nison**](https://twitter.com/arcanis) / [#7595](https://github.com/yarnpkg/yarn/pull/7595) - [**Michael**](https://github.com/Blasz)
+
+- Uses the right Node binary when using `yarn-path`.
+
+  [#7592](https://github.com/yarnpkg/yarn/pull/7592) - [**Maël Nison**](https://twitter.com/arcanis)
+
+## 1.19.0
+
+**Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
+
+- Fixes a potential vulnerability regarding how the build artifacts are stored
+
+  Reported by [**ChALkeR**](https://github.com/ChALkeR), fixed by [**Maël Nison**](https://twitter.com/arcanis)
+
+## 1.18.0
+
+- Suggests using the Yarn 2 development trunk on PnP-enabled projects
+
+  [#7512](https://github.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Preserves linked packages when calling `yarn create`
+
+  [#7543](https://github.com/yarnpkg/yarn/pull/7543) - [**Nick McCurdy**](https://github.com/nickmccurdy)
+
+- Fixes the offline mirror filenames when using Verdaccio
+
+  [#7499](https://github.com/yarnpkg/yarn/pull/7499) - [**xv2**](https://github.com/xv2)
+
+- Fixes using `link:.` to refer to the package folder
+
+  [#7512](https://github.com/yarnpkg/yarn/pull/7512) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Runs the `prepare` lifecycle of git dependencies even if `NODE_ENV` is set to `production`.
+
+  [#7398](https://github.com/yarnpkg/yarn/pull/7398) - [**John Firebaugh**](https://github.com/jfirebaugh)
+
+- Fixes the `postversion` lifecycle method not being called when using `--no-git-tag-version`.
+
+  [#7154](https://github.com/yarnpkg/yarn/pull/7154) - [**Hampus Tågerud**](https://github.com/hampustagerud)
+
+- Ignores potentially large vscode keys in package.json to avoid E2BIG errors.
+
+  [#7419](https://github.com/yarnpkg/yarn/pull/7419) - [**Eric Amodio**](https://twitter.com/eamodio)
+
+- Enforces https for the Yarn and npm registries.
+
+  [#7393](https://github.com/yarnpkg/yarn/pull/7393) - [**Maël Nison**](https://twitter.com/arcanis)
+
 - Adds support for reading `yarnPath` from v2-produced `.yarnrc.yml` files.
 
   [#7350](https://github.com/yarnpkg/yarn/pull/7350) - [**Maël Nison**](https://twitter.com/arcanis)
diff --git a/__tests__/__snapshots__/normalize-manifest.js.snap b/__tests__/__snapshots__/normalize-manifest.js.snap
index c5a78707da..96bece70ad 100644
--- a/__tests__/__snapshots__/normalize-manifest.js.snap
+++ b/__tests__/__snapshots__/normalize-manifest.js.snap
@@ -60,6 +60,27 @@ Array [
 ]
 `;
 
+exports[`dangerous bin name: dangerous bin name 1`] = `
+Array [
+  "foo: Invalid bin entry for \\".\\" (in \\"foo\\").",
+  "foo: Invalid bin entry for \\"..\\" (in \\"foo\\").",
+  "foo: Invalid bin entry for \\"/tmp/foo\\" (in \\"foo\\").",
+  "foo: Invalid bin entry for \\"../tmp/foo\\" (in \\"foo\\").",
+  "foo: Invalid bin entry for \\"tmp/../../foo\\" (in \\"foo\\").",
+  "foo: Invalid bin entry for \\"build:cli\\" (in \\"foo\\").",
+  "foo: No license field",
+]
+`;
+
+exports[`dangerous bin values: dangerous bin values 1`] = `
+Array [
+  "foo: Invalid bin entry for \\"foo\\" (in \\"foo\\").",
+  "foo: Invalid bin entry for \\"bar\\" (in \\"foo\\").",
+  "foo: Invalid bin entry for \\"baz\\" (in \\"foo\\").",
+  "foo: No license field",
+]
+`;
+
 exports[`dedupe all trivial dependencies: dedupe all trivial dependencies 1`] = `
 Array [
   "No license field",
@@ -92,6 +113,7 @@ Array [
 
 exports[`empty bin string: empty bin string 1`] = `
 Array [
+  "foo: Invalid bin field for \\"foo\\".",
   "foo: No license field",
 ]
 `;
diff --git a/__tests__/commands/install/integration.js b/__tests__/commands/install/integration.js
index e969e2a9ee..ec78abb54e 100644
--- a/__tests__/commands/install/integration.js
+++ b/__tests__/commands/install/integration.js
@@ -117,6 +117,16 @@ test('installing a package with a renamed file should not delete it', () =>
     expect(await fs.exists(`${config.cwd}/node_modules/pkg/state.js`)).toEqual(true);
   }));
 
+test("installing a tree shouldn't remove preexisting cache directories", () =>
+  runInstall({}, 'cache-folder-nm', async (config, reporter): Promise<void> => {
+    expect(await fs.exists(`${config.cwd}/node_modules/.cache/hello.txt`)).toEqual(true);
+
+    const reInstall = new Install({}, config, reporter, await Lockfile.fromDirectory(config.cwd));
+    await reInstall.init();
+
+    expect(await fs.exists(`${config.cwd}/node_modules/.cache/hello.txt`)).toEqual(true);
+  }));
+
 test("installing a new package should correctly update it, even if the files mtime didn't change", () =>
   runInstall({}, 'mtime-same', async (config, reporter): Promise<void> => {
     await misc.sleep(2000);
@@ -632,6 +642,11 @@ test('install should be idempotent', () =>
     null,
   ));
 
+test('install should fail to authenticate integrity with incorrect hash and correct sha512', () =>
+  expect(runInstall({}, 'invalid-checksum-good-integrity')).rejects.toMatchObject({
+    message: expect.stringContaining("computed integrity doesn't match our records"),
+  }));
+
 test('install should authenticate integrity field with sha1 checksums', () =>
   runInstall({}, 'install-update-auth-sha1', async config => {
     const lockFileContent = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
@@ -1160,3 +1175,102 @@ test('install skips the scripts if the yarnrc specifies skip-scripts true', () =
     const ignoredScriptsMessage = reporter.lang('ignoredScripts');
     expect(stdout).toMatch(ignoredScriptsMessage);
   }));
+
+describe('Cache', () => {
+  test('install should cache package without integrity prefix if no integrity field present', () =>
+    runInstall({}, 'install-update-auth-no-integrity-field', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853',
+      );
+
+      expect(await fs.exists(pkgCacheDir)).toEqual(true);
+    }));
+
+  test('install should cache package with integrity suffix if integrity field present', () =>
+    runInstall({}, 'install-update-auth-sha512', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity',
+      );
+
+      expect(await fs.exists(pkgCacheDir)).toEqual(true);
+    }));
+
+  test('install should store cached sha1 + sha512 integrity when lockfile has sha1 integrity field', () =>
+    runInstall({}, 'install-update-auth-sha1-safebuffer', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity',
+      );
+      const pkgCacheMetaData = JSON.parse(
+        await fs.readFile(path.join(pkgCacheDir, 'node_modules', 'safe-buffer', constants.METADATA_FILENAME)),
+      );
+      expect(pkgCacheMetaData.remote.cacheIntegrity).toBe(
+        // eslint-disable-next-line max-len
+        'sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=',
+      );
+    }));
+
+  test('install should store cached sha1 + sha512 integrity when lockfile has sha512 integrity field', () =>
+    runInstall({}, 'install-update-auth-sha512', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity',
+      );
+      const pkgCacheMetaData = JSON.parse(
+        await fs.readFile(path.join(pkgCacheDir, 'node_modules', 'safe-buffer', constants.METADATA_FILENAME)),
+      );
+      expect(pkgCacheMetaData.remote.cacheIntegrity).toBe(
+        // eslint-disable-next-line max-len
+        'sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=',
+      );
+    }));
+
+  test('install should store cached sha1 + sha512 integrity when lockfile has no integrity field', () =>
+    runInstall({}, 'install-update-auth-no-integrity-field', async config => {
+      const pkgCacheDir = path.join(
+        config.cwd,
+        '.yarn-cache',
+        `v${constants.CACHE_VERSION}`,
+        'npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853',
+      );
+      const pkgCacheMetaData = JSON.parse(
+        await fs.readFile(path.join(pkgCacheDir, 'node_modules', 'safe-buffer', constants.METADATA_FILENAME)),
+      );
+
+      expect(pkgCacheMetaData.remote.cacheIntegrity).toBe(
+        // eslint-disable-next-line max-len
+        'sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=',
+      );
+    }));
+
+  test('install should fail when cached package integrity does not match lockfile integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-invalid-cache-integrity')).rejects.toThrow(
+      // eslint-disable-next-line max-len
+      'Incorrect integrity when fetching from the cache for "safe-buffer". Cache has "sha512-foo sha1-bar" and remote has "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="',
+    ));
+
+  test('install should fail when cached package hash does not match remote hash', () =>
+    expect(runInstall({}, 'install-update-auth-invalid-cache-hash')).rejects.toThrow(
+      // eslint-disable-next-line max-len
+      'Incorrect hash when fetching from the cache for "safe-buffer". Cache has "bad-hash" and remote has "893312af69b2123def71f57889001671eeb2c853"',
+    ));
+
+  test('install should not fail cache integrity validation when lockfile has sha1 integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-sha1-with-cache')).resolves.toBeUndefined());
+
+  test('install should not fail cache integrity validation when lockfile has sha512 integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-sha512-with-cache')).resolves.toBeUndefined());
+
+  test('install should not fail cache integrity validation when lockfile has no integrity field', () =>
+    expect(runInstall({}, 'install-update-auth-no-integrity-field-with-cache')).resolves.toBeUndefined());
+});
diff --git a/__tests__/commands/install/workspaces-install.js b/__tests__/commands/install/workspaces-install.js
index a0e0c0be15..5181352fc3 100644
--- a/__tests__/commands/install/workspaces-install.js
+++ b/__tests__/commands/install/workspaces-install.js
@@ -103,6 +103,25 @@ test.concurrent('install should install unhoistable dependencies in workspace no
   });
 });
 
+test.concurrent(
+  'install should install unhoistable dependencies in workspace node_modules even when no symlink exists',
+  (): Promise<void> => {
+    return runInstall({}, 'workspaces-install-conflict-without-symlink', async (config): Promise<void> => {
+      // node_modules/isarray@1.0.0
+      let packageFile = await fs.readFile(path.join(config.cwd, 'node_modules', 'isarray', 'package.json'));
+      expect(JSON.parse(packageFile).version).toEqual('1.0.0');
+
+      // node_modules/arrify@1.0.0
+      packageFile = await fs.readFile(path.join(config.cwd, 'node_modules', 'arrify', 'package.json'));
+      expect(JSON.parse(packageFile).version).toEqual('1.0.0');
+
+      // node_modules/arrify/isarray@2.0.0
+      packageFile = await fs.readFile(path.join(config.cwd, 'arrify', 'node_modules', 'isarray', 'package.json'));
+      expect(JSON.parse(packageFile).version).toEqual('2.0.0');
+    });
+  },
+);
+
 test.concurrent('install should link workspaces that refer each other', (): Promise<void> => {
   return runInstall({}, 'workspaces-install-link', async (config): Promise<void> => {
     // packages/workspace-1/node_modules/left-pad - missing because it is hoisted to the root
diff --git a/__tests__/commands/run.js b/__tests__/commands/run.js
index 2bad11ef51..35a1221e56 100644
--- a/__tests__/commands/run.js
+++ b/__tests__/commands/run.js
@@ -207,6 +207,16 @@ test('adds workspace root node_modules/.bin to path when in a workspace', (): Pr
     expect(envPaths).toContain(path.join(config.cwd, 'packages', 'pkg1', 'node_modules', '.bin'));
   }));
 
+test('adds cwd node_modules/.bin to path when in a workspace usig nohoist', (): Promise<void> =>
+  runRunInWorkspacePackage('packages/pkg1', ['env'], {}, 'nohoist-workspace', (config, reporter): ?Promise<void> => {
+    const logEntry = reporter.getBuffer().find(entry => entry.type === 'log');
+    const parsedLogData = JSON.parse(logEntry ? logEntry.data.toString() : '{}');
+    const envPaths = (parsedLogData.PATH || parsedLogData.Path).split(path.delimiter);
+
+    expect(envPaths).toContain(path.join(config.cwd, 'node_modules', '.bin'));
+    expect(envPaths).toContain(path.join(config.cwd, 'packages', 'pkg1', 'node_modules', '.bin'));
+  }));
+
 test('runs script with custom script-shell', (): Promise<void> =>
   runRunWithCustomShell('/usr/bin/dummy', ['start'], {}, 'script-shell', async (config): ?Promise<void> => {
     const pkg = await fs.readJson(path.join(config.cwd, 'package.json'));
diff --git a/__tests__/commands/version.js b/__tests__/commands/version.js
index 6210a40a5e..50c1111b2b 100644
--- a/__tests__/commands/version.js
+++ b/__tests__/commands/version.js
@@ -162,6 +162,108 @@ test('run version and make sure commit hooks are disabled by config', async ():
   });
 });
 
+test('run version with --no-git-tag-version and make sure git tags are disabled', async (): Promise<void> => {
+  const fixture = 'no-args';
+  await fs.mkdirp(path.join(fixturesLoc, fixture, '.git'));
+
+  return runRun([], {newVersion, gitTagVersion: false}, fixture, async (config): ?Promise<void> => {
+    const pkg = await fs.readJson(path.join(config.cwd, 'package.json'));
+    expect(pkg.version).toBe(newVersion);
+
+    expect(spawn.mock.calls.length).toBe(0);
+  });
+});
+
+test('run version and make sure git tags are disabled by config', async (): Promise<void> => {
+  const fixture = 'no-args-no-git-tags';
+  await fs.mkdirp(path.join(fixturesLoc, fixture, '.git'));
+
+  return runRun([], {newVersion, gitTagVersion}, fixture, async (config): ?Promise<void> => {
+    const pkg = await fs.readJson(path.join(config.cwd, 'package.json'));
+    expect(pkg.version).toBe(newVersion);
+
+    expect(spawn.mock.calls.length).toBe(0);
+  });
+});
+
+test('run version with --no-git-tag-version, make sure all lifecycle steps runs', async (): Promise<void> => {
+  const fixture = 'no-args';
+  await fs.mkdirp(path.join(fixturesLoc, fixture, '.git'));
+
+  return runRun([], {newVersion, gitTagVersion: false}, fixture, async (config): ?Promise<void> => {
+    expect(spawn.mock.calls.length).toBe(0);
+
+    const pkg = await fs.readJson(path.join(config.cwd, 'package.json'));
+
+    const preversionLifecycle = {
+      stage: 'preversion',
+      config,
+      cmd: pkg.scripts.preversion,
+      cwd: config.cwd,
+      isInteractive: true,
+    };
+    const versionLifecycle = {
+      stage: 'version',
+      config,
+      cmd: pkg.scripts.version,
+      cwd: config.cwd,
+      isInteractive: true,
+    };
+    const postversionLifecycle = {
+      stage: 'postversion',
+      config,
+      cmd: pkg.scripts.postversion,
+      cwd: config.cwd,
+      isInteractive: true,
+    };
+
+    expect(execCommand.mock.calls.length).toBe(3);
+
+    expect(execCommand.mock.calls[0]).toEqual([preversionLifecycle]);
+    expect(execCommand.mock.calls[1]).toEqual([versionLifecycle]);
+    expect(execCommand.mock.calls[2]).toEqual([postversionLifecycle]);
+  });
+});
+
+test('run version with git tags disabled in config, make sure all lifecycle steps runs', async (): Promise<void> => {
+  const fixture = 'no-args-no-git-tags';
+  await fs.mkdirp(path.join(fixturesLoc, fixture, '.git'));
+
+  return runRun([], {newVersion, gitTagVersion}, fixture, async (config): ?Promise<void> => {
+    expect(spawn.mock.calls.length).toBe(0);
+
+    const pkg = await fs.readJson(path.join(config.cwd, 'package.json'));
+
+    const preversionLifecycle = {
+      stage: 'preversion',
+      config,
+      cmd: pkg.scripts.preversion,
+      cwd: config.cwd,
+      isInteractive: true,
+    };
+    const versionLifecycle = {
+      stage: 'version',
+      config,
+      cmd: pkg.scripts.version,
+      cwd: config.cwd,
+      isInteractive: true,
+    };
+    const postversionLifecycle = {
+      stage: 'postversion',
+      config,
+      cmd: pkg.scripts.postversion,
+      cwd: config.cwd,
+      isInteractive: true,
+    };
+
+    expect(execCommand.mock.calls.length).toBe(3);
+
+    expect(execCommand.mock.calls[0]).toEqual([preversionLifecycle]);
+    expect(execCommand.mock.calls[1]).toEqual([versionLifecycle]);
+    expect(execCommand.mock.calls[2]).toEqual([postversionLifecycle]);
+  });
+});
+
 test('run version with --major flag and make sure major version is incremented', (): Promise<void> => {
   return runRun([], {gitTagVersion, major: true}, 'no-args', async (config): ?Promise<void> => {
     const pkg = await fs.readJson(path.join(config.cwd, 'package.json'));
diff --git a/__tests__/commands/workspace.js b/__tests__/commands/workspace.js
index a50442d22e..17d5c66d0c 100644
--- a/__tests__/commands/workspace.js
+++ b/__tests__/commands/workspace.js
@@ -38,12 +38,8 @@ async function runWorkspace(
   }
 }
 
-// The unit tests don't use commander.js for argument parsing.
-// `originalArgs` is normally passed by index.js so we just simulate it in the tests.
-
 test('workspace run command', (): Promise<void> => {
-  const originalArgs = ['workspace-1', 'run', 'script'];
-  return runWorkspace({originalArgs}, ['workspace-1', 'run', 'script'], 'run-basic', config => {
+  return runWorkspace({}, ['workspace-1', 'run', 'script'], 'run-basic', config => {
     expect(spawn).toHaveBeenCalledWith(NODE_BIN_PATH, [YARN_BIN_PATH, 'run', 'script'], {
       stdio: 'inherit',
       cwd: path.join(fixturesLoc, 'run-basic', 'packages', 'workspace-child-1'),
@@ -52,8 +48,7 @@ test('workspace run command', (): Promise<void> => {
 });
 
 test('workspace run command forwards raw arguments', (): Promise<void> => {
-  const originalArgs = ['workspace-1', 'run', 'script', 'arg1', '--flag1'];
-  return runWorkspace({originalArgs}, ['workspace-1', 'run', 'script'], 'run-basic', config => {
+  return runWorkspace({}, ['workspace-1', 'run', 'script', 'arg1', '--flag1'], 'run-basic', config => {
     expect(spawn).toHaveBeenCalledWith(NODE_BIN_PATH, [YARN_BIN_PATH, 'run', 'script', 'arg1', '--flag1'], {
       stdio: 'inherit',
       cwd: path.join(fixturesLoc, 'run-basic', 'packages', 'workspace-child-1'),
diff --git a/__tests__/commands/workspaces.js b/__tests__/commands/workspaces.js
index ad81f2df76..6a7ba993c1 100644
--- a/__tests__/commands/workspaces.js
+++ b/__tests__/commands/workspaces.js
@@ -49,13 +49,12 @@ test('workspaces info should list the workspaces', (): Promise<void> => {
 });
 
 test('workspaces run should spawn command for each workspace', (): Promise<void> => {
-  const originalArgs = ['run', 'script', 'arg1', '--flag1'];
-  return runWorkspaces({originalArgs}, ['run', 'script', 'arg1', '--flag1'], 'run-basic', config => {
-    expect(spawn).toHaveBeenCalledWith(NODE_BIN_PATH, [YARN_BIN_PATH, 'script', 'arg1', '--flag1'], {
+  return runWorkspaces({}, ['run', 'script', 'arg1', '--flag1'], 'run-basic', config => {
+    expect(spawn).toHaveBeenCalledWith(NODE_BIN_PATH, [YARN_BIN_PATH, 'run', 'script', 'arg1', '--flag1'], {
       stdio: 'inherit',
       cwd: path.join(fixturesLoc, 'run-basic', 'packages', 'workspace-child-1'),
     });
-    expect(spawn).toHaveBeenCalledWith(NODE_BIN_PATH, [YARN_BIN_PATH, 'script', 'arg1', '--flag1'], {
+    expect(spawn).toHaveBeenCalledWith(NODE_BIN_PATH, [YARN_BIN_PATH, 'run', 'script', 'arg1', '--flag1'], {
       stdio: 'inherit',
       cwd: path.join(fixturesLoc, 'run-basic', 'packages', 'workspace-child-2'),
     });
diff --git a/__tests__/fetchers.js b/__tests__/fetchers.js
index ed5f5b0cc6..5c95c6af7f 100644
--- a/__tests__/fetchers.js
+++ b/__tests__/fetchers.js
@@ -125,6 +125,40 @@ test('GitFetcher.fetch with prepare script', async () => {
   expect(await fs.exists(path.join(dir, 'generated', 'prepublish'))).toBe(false);
 });
 
+test('GitFetcher.fetch with prepare script, NODE_ENV=production', async () => {
+  const NODE_ENV = process.env.NODE_ENV;
+  try {
+    process.env.NODE_ENV = 'production';
+    const dir = await mkdir('git-fetcher-with-prepare');
+    const fetcher = new GitFetcher(
+      dir,
+      {
+        type: 'git',
+        reference: 'https://github.com/Volune/test-js-git-repo',
+        hash: '0e56593e326069ed4bcec8126bb48a1891215c57',
+        registry: 'npm',
+      },
+      await Config.create(),
+    );
+    await fetcher.fetch();
+    const name = (await fs.readJson(path.join(dir, 'package.json'))).name;
+    expect(name).toBe('test-js-git-repo');
+    const dependencyName = (await fs.readJson(path.join(dir, 'dependency-package.json'))).name;
+    expect(dependencyName).toBe('beeper');
+    // The file "prepare.js" is not in "files" list
+    expect(await fs.exists(path.join(dir, 'prepare.js'))).toBe(false);
+    // Check the dependency with a bin script was correctly executed
+    expect(await fs.exists(path.join(dir, 'testscript.output.txt'))).toBe(true);
+    // Check executed lifecycle scripts
+    expect(await fs.exists(path.join(dir, 'generated', 'preinstall'))).toBe(true);
+    expect(await fs.exists(path.join(dir, 'generated', 'install'))).toBe(true);
+    expect(await fs.exists(path.join(dir, 'generated', 'postinstall'))).toBe(true);
+    expect(await fs.exists(path.join(dir, 'generated', 'prepublish'))).toBe(false);
+  } finally {
+    process.env.NODE_ENV = NODE_ENV;
+  }
+});
+
 test('TarballFetcher.fetch', async () => {
   const dir = await mkdir('tarball-fetcher');
   const fetcher = new TarballFetcher(
@@ -278,6 +312,25 @@ test('TarballFetcher.fetch properly stores tarball of scoped package in offline
   expect(exists).toBe(true);
 });
 
+test('TarballFetcher.fetch properly stores tarball of scoped package in offline mirror for Verdaccio', async () => {
+  const dir = await mkdir('git-fetcher');
+  const config = await Config.create();
+  config.registries.yarn.config['yarn-offline-mirror'] = 'test';
+
+  const fetcher = new TarballFetcher(
+    dir,
+    {
+      type: 'tarball',
+      hash: '6f0ab73cdd7b82d8e81e80838b49e9e4c7fbcc44',
+      reference: 'http://npm.xxxyyyzzz.ru/@types%2fevents/-/events-3.0.0.tgz',
+      registry: 'npm',
+    },
+    config,
+  );
+  const cachePath = fetcher.getTarballMirrorPath();
+  expect(cachePath).toBe(path.join('test', '@types-events-3.0.0.tgz'));
+});
+
 test('TarballFetcher.fetch properly stores tarball for scoped package resolved from artifactory registry', async () => {
   const dir = await mkdir('tarball-fetcher');
   const offlineMirrorDir = await mkdir('offline-mirror');
diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v6/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json
similarity index 100%
rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json
rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v6/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json
diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep b/__tests__/fixtures/cache/corrupted/.yarn-cache/v6/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep
similarity index 100%
rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep
rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v6/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep
diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v6/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json
similarity index 100%
rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json
rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v6/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json
diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/good/node_modules/good/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v6/good/node_modules/good/.yarn-metadata.json
similarity index 100%
rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/good/node_modules/good/.yarn-metadata.json
rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v6/good/node_modules/good/.yarn-metadata.json
diff --git a/__tests__/fixtures/certificates/cacerts.pem b/__tests__/fixtures/certificates/cacerts.pem
index f752995039..ff0e06fae5 100644
--- a/__tests__/fixtures/certificates/cacerts.pem
+++ b/__tests__/fixtures/certificates/cacerts.pem
@@ -34,35 +34,37 @@ rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
 -----END CERTIFICATE-----
 comments should be stripped
 -----BEGIN CERTIFICATE-----
-MIIFgDCCA2gCCQC8rITAE36eyDANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24xEzARBgNVBAoMCkV4YW1w
-bGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMxCzAJBgNVBAMMAmNhMSAwHgYJKoZIhvcN
-AQkBFhFjZXJ0c0BleGFtcGxlLmNvbTAeFw0xNjExMDExMDU5MDRaFw00NDAzMTgx
-MDU5MDRaMIGBMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJv
-c3RvbjETMBEGA1UECgwKRXhhbXBsZSBDbzEQMA4GA1UECwwHdGVjaG9wczELMAkG
-A1UEAwwCY2ExIDAeBgkqhkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dlk+OKb+S14hj/EHVUMzGSAfTpc
-TJgAPxhaWChp4ICBspYX3OrIdQ4XXEzJYu0ZFIxhV0VD0XBB9XEdmyaJpgqJORFi
-MplDtIOAAsiHL64g7ZW8vKrVH/VWnCk5lt4CX+u7bUzhcGo11Esmvy/uAWDeStLI
-m+49esBbr3nL+oYMaGw3u2tgZgaalvozg4p+Tatl3J3TUgpt9fK5tpHwlGmXIOp0
-O6Lq3affXZzFivMm/jJVMGyV1/AowPCtXbhS1O8qQQKws4HZUx9Od34yzOpPCkQf
-Wl9YkZKd2OQ1MPTnpjiXluBEbhAPPHKq7P12B+wrlFP+4l9wNwqpTIxFR6j/iy+H
-9exO4yaU0QcaQFHOSPxVP3rl0KdEFq/oTkto23Y5nrEuwEZ9TVEdNaxiOElNy/qy
-cMUsFZA+4ne1Ly8FB44OY2hSE8P59jLFNP+A+XCTMK7doiJ5BT442+kxpIRQyfEl
-EwaRQm2oZzJvSU1G3EOYs/3hOzQzpCpaJuPT2zhis3wHzYtgVt2Q5EOaBQnbGi9/
-bV6881elI6+5jEahwq4zIlfYREmOm8wtDXkeajIIQrLMRG6d4YMm27F3ZCxL2tam
-LEuF6CtqoTEuxuJXM9zC7Rydiry7kszLkDJKvUmGgbrJ5qnmZBetZLoG3NivCWQN
-n2sJqcmOrRU4SfsCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAD8reWqvPTVuxQ3XY
-z5tOii37WDhVStUwXot6QaUCIouAIfwJDnyuOi4H8vgXzWcvwPvEXWRS7JJZn4Qa
-5DsuOo5UI60vvypZ3F0MrPQbWz3cwAzrVVCw138IfMUo2dLfW5tcc/2zIg31zStV
-7wREbMRX/xrqkyuOoe+1zvpk7oqaXff6aOluqtZh5Q0g7fANt7Lpb3TIJF1lHxkJ
-mKaPHUbSwxXjv42pliJlivPcjELRCwZDfNA8t6FftmhTo0ReRrUP6CyvZJjEg+2O
-8/bPstDs0bqE9KCYFQmroGvfwZj2DjiAm2P7DfiLmfjfojqgKFW8nw9ZgCyHFD8t
-OB7gqlB5PR11Y9IRzdV9RO98lmitVyHI+IPkoj/Dq7L08jXl4NspOml2kwlvXrcG
-k14IQz+Wy57UyD8C1ZS5MkHM9Pza4uvEmFND/SkN1rAJh+nl2ufZ6qSRzA39S6EC
-hi6D6yh7CRpPlpF5rtdzAJMjWS+/JXGBmzzdGHNAVKuhReIDDS5mIW60gJkCF+iM
-K+jdVGPOxiN5ODSJaIUJadVHe/QDmFUTYMtho9cdJU4NqtDwLLzLS2sPg9BKcazb
-3A2b2esl0TtJI5iGgRW+oDlXw86Z8A5RZPllBJYIuuFe9Ger7bjQj8F+lrHOjnE5
-z25jSi3bq2l8JLZnANwdm1O/TLQ=
+MIIF7TCCA9WgAwIBAgIJAOQ9IRk5pctqMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
+VQQDDAJjYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0
+b24xEzARBgNVBAoMCkV4YW1wbGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMxIDAeBgkq
+hkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMB4XDTE5MDgwNjA3MTIxN1oXDTQ0
+MDczMDA3MTIxN1owgYExCzAJBgNVBAMMAmNhMQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCTUExDzANBgNVBAcMBkJvc3RvbjETMBEGA1UECgwKRXhhbXBsZSBDbzEQMA4G
+A1UECwwHdGVjaG9wczEgMB4GCSqGSIb3DQEJARYRY2VydHNAZXhhbXBsZS5jb20w
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDBFeT4bPZ8OGivNZQby7cI
+N1DYloyEJZjvBkE61Ewdq1i6bGQVrxL/JrWWvCVrSOALUpovFGIqeeHoYq5IHSTb
+jd/vkvrGBymsou6lJYJGqlbL3GCDbF93txPTvEwKYm/FbvFMu835DQgZEaXuB/iS
+RWKUOgjf48I5buLHVmJ+V6INoYlQgNdtM0tSTOefOwp46NEzOwlmNAsQURwOVgwX
+Aiqm8862hlB3y8zaV9xh3nvinMhTbTlWOBKuJD3us5OCmpY6KJVdOhgdmusFIHSD
+1Z1y0Wk1s1abZeChUYi/3MJgGL/sxgk2fscvRTukq24xqYixcs/F39TEYsOtNwO0
+qL934KY860BdBjXSwv2TMA7vLrMBfKiyYFV5Tg7VeiKMYuvAMiJ6pcycI2AuIoJx
+l9RcPrqKUATkjVbk5j9VowokW8bMpCMKqBAh8eAj93vEVbk56MQNyAQzi0ua2HIS
+a0TH+Z4cLXxVNQNDOg3u/uYzCJqVkkUy2ACuN+KY19/owCDEBmjHf3YEeNmu79nP
+8eMp1qDxGaHrB8Mbbs4u35oKcu3/osAAAv94C4rYM1GlvRavzMXaw/w6THXzAqLR
+HUk4TDySH59lprorRwi9O5MEseu/VR6kpVGFaqf8Uk3roO1PLcrLl7mIVEBMT+xr
+dsQZ2t5uPdRWl17CC3FPjQIDAQABo2YwZDAdBgNVHQ4EFgQUiv23fsFng48bIdox
+T5+R4ZyblCUwHwYDVR0jBBgwFoAUiv23fsFng48bIdoxT5+R4ZyblCUwDgYDVR0P
+AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwDQYJKoZIhvcNAQELBQADggIB
+AGyXNgSgEKTsP6khvdCIognjKBPxHloKRa1VjVDISsOTrhpnpzD8iK5fI7PLNTu4
+I57O90Ouo689np766iUIWTGDX3gHXLwPjvEtHFBOctfkDRD6vSk6jT74AWq5SM6R
+i+Us6iLcOoyJOXfpRA2RJ8mSmYpswmY16s3vNQtBQASDEgqd1+tuKUXdf1ijBUEI
+fua0tUBfmroEDphzi9SOyeo3KbXafjrgHnRRF/EZS86UuwI1OEYqfzqzZzU2aR+i
+zKdA+V5m/myfgiFHWnN8hT5TgJC3zjuLrfPE0oWF1xUJouMhDiKp0tWu6S4wyU0w
+cxtpCBPoeqjVr4eVyvmpFREPIW6fANUT21QDTu22gjorKoewoFlt62Q/SIiVe8Fd
+zMNLzJykHzP8W5E4p2lUFmuZ+cgU0ASsqTf21VfWuBYOLMCe/Z1mRw/egg7/ZlkB
+dbgbZVj0hkfh6zGybtAeCPVQ5g+eQ5AOJCaW30xs8zove9Ke6/Pc/QPQ/nU5KhJX
+/Vr4xnoOvgq+UM/CwhYgqMcqk04czBF1KHKPKPFv4i+XDZ++cckUq3PMvWHMg8Og
++9LT8+6nWhoz3C2khOeRXJn5JV0+NqrVFYSrk1Ck2Z1h6dVDhz25fyPV+9+hZlDL
+iG8MH0iCyXWz6kiZKW0s9LV7AW/PUPU/rZdS+P2HgS0E
 -----END CERTIFICATE-----
 another comment
diff --git a/__tests__/fixtures/certificates/client-cert.pem b/__tests__/fixtures/certificates/client-cert.pem
index 0fcb7fec45..755b80ec4a 100644
--- a/__tests__/fixtures/certificates/client-cert.pem
+++ b/__tests__/fixtures/certificates/client-cert.pem
@@ -1,32 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIFijCCA3KgAwIBAgIJAJtFZrwaJuiyMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
-VQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjETMBEGA1UECgwK
-RXhhbXBsZSBDbzEQMA4GA1UECwwHdGVjaG9wczELMAkGA1UEAwwCY2ExIDAeBgkq
-hkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMB4XDTE2MTEwMTExMDIxMloXDTE5
-MDcyODExMDIxMlowgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UE
-BwwGQm9zdG9uMRMwEQYDVQQKDApFeGFtcGxlIENvMRAwDgYDVQQLDAd0ZWNob3Bz
-MRAwDgYDVQQDDAdjbGllbnQxMSAwHgYJKoZIhvcNAQkBFhFjZXJ0c0BleGFtcGxl
-LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALIBe3sK4CKnNTyp
-M7GwNzHHrCtgW/nVBML9KRbHSCDodvhegfNWJRTvarWCipbej+V0iBsw/LcYuynw
-4QDzINJVQTfdXYpfr2PBjY2PlTurYMHoA6W9Qefw3TZNQbt1wygJznShPPfdVDi7
-KBaXCCmLZ98dh4o8+A+4FTEdkMmtLjKp7j/chDmmO+vM0+odSBtf5CfEEgIQNAiw
-uaKJhFjOD0voMDfDEowIBqA/s5MPN8iizOoPhpgl4HJrkWGULEl/xpmO0oOiLITx
-xG1wAeKsGXa+28Xv+FU3nK8AgpToGsnOt4jUmAqO8f0Y1CnBFL9LkOB99UQG9XBS
-H2j61pZnJaL3L3GwSVeGxfhZWgEhTcZDsA9/xD4dRJEzi49A+Q0DVArj9nyccLP5
-NgXClC4wQZzRTH/ptkfNzmnkZ935ffn9tnJNAv/Cq9sTpEL5TmQU976shhxpomXa
-/ADW+jojVnlBZkZugVEbvFU1r7EFUz9aEHvqmIpUn84gvWeG6Ows1T+nvFkQCtFp
-00uHntOjh0Jx5PclMNX8rAaHOzI/7j3ZkvNicSz76v9iFaViTUdplL4beORjhuTq
-MgNSGyHv4C6MxsdfurZgMFsLnDRilBJ3Y4h+xOamV2JngQY1iPT4XRSyV60+4hRg
-V8PN+dLSv28sqUXN/nm0zQiy1FV3AgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAA6N
-4kIH05Ju3SJAKCFg4/K3NNW9D7WCRbKBN4PLyxQ/4KW8eDKC72PA4YMX1fRkgCKO
-jXypPAtypOZvzs4k3cZXK+Q1OjrUf4PhD+yAzJlVnI7ILjhN1BpZeami2Pd9W8Gl
-odCNxDIOgcgx8HMDBtj2xnk0HG0xOsvctB/ueO9LDiJ1Ztn6Yf1sYgyyPZUhGTH0
-fuzCpXbs2PIt7C/wOZjGpbcZ676NBNTuP6r99qTGi5acFi2Q7SY3siKMUDcDnEeO
-v4najVtgB+Cj2p6OoHwBtU2MyAiwjqbNR8MjLVT10mU2EC1knmhS/xRRKqnWlnAO
-X9Ui5qbpk72jvDcufx9NAmoO4XWVoywZdFRS3QHQBSkTd+0bdBKRHE8Gg+pgS8Z9
-ec1CuxF14oBFZeAN/jU4hwmIOz/Kn6KU2L5/R1D6Hc3rP+PSRv8mIYy8uTNt6Ncn
-c5iXB/kw+lm2/b8GPPHkwgAIl7ezL0LjcWpnVNeVrnLRQJn9WCpQO8czLxmehblZ
-zp2upkoGnuP19E8lCKFl2gyxOTId1xIxqes/5Sc1M4Hpr2Eb4tI2XyNjg5CQuJe0
-uP6yWf2UJOA5JmY90WRbn592VayyJBne+O+v3eQSyCdd03+Ha6CzSeDIx94PLEIc
-65r+/7ymWnPSvIULDUPiDZfGLtSz48DFMTVZRM0+
+MIIF6DCCA9CgAwIBAgIJAIUfwLpI3Mh6MA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
+VQQDDAJjYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0
+b24xEzARBgNVBAoMCkV4YW1wbGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMxIDAeBgkq
+hkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMB4XDTE5MDgwMTEyNDAwMFoXDTI0
+MDczMTEyNDAwMFowZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQH
+DAZCb3N0b24xEzARBgNVBAoMCkV4YW1wbGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMx
+EDAOBgNVBAMMB2NsaWVudDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDCO2v12Ui43mH5zxy9oNzn0biQVN/AhPOJbkgdS4ivxJs7gA+ZcpUsfgclKv8q
+khYauLWu9rGUO2YIfpvVAy/Qw1/QoJQrroTuzi84MiIj56xIBy+WUMq2sljn/Ou1
+fYd+CPXDbQOyzUwmWYpqXE4Aipug3mzfcrL+vt9P+0oGOyW9YMghGzNh/y6wkEoX
+XDtYw976kk+/VzO44hxi8G3WND0y0XU9u0hhWTXoEP+nyF6i3MasXGgD5D05aHeE
+vfmvjs5pUpFfqVdfenddZR+t7BnDjoPDo+UXMNmWmQOhOQ+R1fxZsUfa6QBrEQKQ
+If9wq3Cvoo/1MRtiLRfiaHlP/mL7J0MaR/Wj0ET6j/Kjgzm1DwBtz5G3paLGjh9f
+YVEELUMkwg5C5EcmVkOXn0EUhIB2S++8sgLAAY3svYgKWBSVcsLm1Bk2Eny76Jh8
+NGkC+3Uits+Ov59zMbEbknFB6ytdItwDjmNGijQ3jXa9g5wDcpUb30S6yKycT7Ix
+LZGoHUoHftmkb4XRTiZex+ziqqF4+XJfgwe9smCoJWXNCepao2+QVfoHjIV4dAGc
+GVVfMVE92HpYc0YKpWmb/U2qwK6UFIXkt8Xam51ogx1X3a7qnPFWYXADhfptmitk
+09FP8bwEtlHpU5VTW7ksu5thrRm3HZ7WwJm60nrSsEb7uwIDAQABo38wfTAdBgNV
+HQ4EFgQUyeq4Rl/JTi2CWubbPoFIlLTYCRwwHwYDVR0jBBgwFoAUiv23fsFng48b
+IdoxT5+R4ZyblCUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCOAj+5
+qS81ES3OD0yO4zyR4ICHZo68c15USeZakiWTtt64t3e2ZMyW3onDoKunmxc0u6NO
+8qxzM3HVGrTCL18sbYNRIOHlnKrajETb9Uv4QG2ULB+euwhOB18EGHBMEJmvuhr6
++gL0OEEb1JPGVHC0AowPLPdU0DdVFzLz6AxwpFfQY6qOOaNkdh8N8DIwK8yzE9Z5
+sloh5W/2MtrKPNzY6BIOv2UNuzUySTUfOsqecGQUtFkmyUs11BtmqvxZNdwcSPBG
+eO6lysh8Ts6g3PVISx05MLANjkkP5q78UlQGiLbfJFNqVDyeUdSHoCnEZvvJ4oSu
+1F6jGJBMzBQwkLHqDp2nfnpnhR6YNAX0nJARxLv0fUbHf+3ikpwyX7tBf94Nd5sQ
+Of029YGWnzhB+bLjTXP7JKTsQeFjN3dnssvFQEtyWWJsALWsG3h7TcNRKgADluXQ
+2mZBPwXNEx2AAfbAbCXhG0+pJ5sOpOtNk0KwjvyUyUaglTJqFhHscvtf9HmGE9oe
+5Wfnftz6dQCtKqPNO4JD55qQ5lL7yESYBIbmm1mACUeXLOM8vFYEZhPqrcT8BIHn
+UvZXtzR5/Eyvmjaa4mEj7dtWBxoAgfdS1iMFLK51wqWWtUYojrTihTnpSl1z6S+q
+np/9R919j0P7jA5k+2jdFcAMO1K5xLbztVvqaA==
 -----END CERTIFICATE-----
diff --git a/__tests__/fixtures/certificates/client-key.pem b/__tests__/fixtures/certificates/client-key.pem
index 6e35a7f79d..fa80438dcf 100644
--- a/__tests__/fixtures/certificates/client-key.pem
+++ b/__tests__/fixtures/certificates/client-key.pem
@@ -1,51 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAsgF7ewrgIqc1PKkzsbA3McesK2Bb+dUEwv0pFsdIIOh2+F6B
-81YlFO9qtYKKlt6P5XSIGzD8txi7KfDhAPMg0lVBN91dil+vY8GNjY+VO6tgwegD
-pb1B5/DdNk1Bu3XDKAnOdKE8991UOLsoFpcIKYtn3x2Hijz4D7gVMR2Qya0uMqnu
-P9yEOaY768zT6h1IG1/kJ8QSAhA0CLC5oomEWM4PS+gwN8MSjAgGoD+zkw83yKLM
-6g+GmCXgcmuRYZQsSX/GmY7Sg6IshPHEbXAB4qwZdr7bxe/4VTecrwCClOgayc63
-iNSYCo7x/RjUKcEUv0uQ4H31RAb1cFIfaPrWlmclovcvcbBJV4bF+FlaASFNxkOw
-D3/EPh1EkTOLj0D5DQNUCuP2fJxws/k2BcKULjBBnNFMf+m2R83OaeRn3fl9+f22
-ck0C/8Kr2xOkQvlOZBT3vqyGHGmiZdr8ANb6OiNWeUFmRm6BURu8VTWvsQVTP1oQ
-e+qYilSfziC9Z4bo7CzVP6e8WRAK0WnTS4ee06OHQnHk9yUw1fysBoc7Mj/uPdmS
-82JxLPvq/2IVpWJNR2mUvht45GOG5OoyA1IbIe/gLozGx1+6tmAwWwucNGKUEndj
-iH7E5qZXYmeBBjWI9PhdFLJXrT7iFGBXw8350tK/byypRc3+ebTNCLLUVXcCAwEA
-AQKCAgBPu/I/z0NOwm9KWNBbC3/twG8SjvskEZMsdJHvLhzVAMwpvMug4DmEAypd
-W7gQlGkIcwZ0h6DrsxxDUS64ai+Nh7rK91FrJik+Gfj6LBLAw6d3tCHOH9RhvLaa
-GEkVW06rpJjiDUduD6omL09prwVs9pD0lBmehmjnQaHcek3cyMIk15Fs8a4Y1KmK
-mhliiPM/r9hXJ7CZVAC6086TS94ImWSor7zJfYvVRdMR/PbHLM3kBWicf4/enzjG
-iAB7IRAlbCLdregGJqKielluW/m8OzK8yglPxIoMQfjhOu1DHiTBuOLlW7UvJZCn
-unNusJpGhebDaChw7F0Mjvya3aE4xksR3oIGM7b42OMiC9WvbqVi18UHSDVQkMfO
-N1+JUjrBE+/ktDoFGjUgaOfQ9OLcxgP5UHiGoVyK9K1cQsE+6tMyVvg23xYIwgKa
-n/66OgxIOw75PWRyRMk4vhoGDWbfpPlVEoVcImKRALDCccyt9w6Hb5X5nbukiG4J
-q3MNcuCVqTGelhjY/GsimOw65Gjy+K8XAaIVDcPuqBPbR89wDLL8z0w9blvbboLO
-V/Z7Z5fsvpxOXnkVGt+hf9fd6QsR8WsurFq3kuJkaXRW4BArhBGyiX7g2+5Et0Cy
-lSN+EOF9h6cQnUHmF9SOmy/nSggmw+2AimXrvDJLf/8b90U8gQKCAQEA4CJmCQax
-BTtpC8RsQNoLQIMRdil4g+Y7QFWzHSX4QmfoGdHYWT7OnJZXu9oiBvWGTtXoXXOL
-YUg79H57o07Zz7Juk8YWyjHfBLL9j5sh92LE70xyznMYj/uDdnOmYxt5pX8Hx1TL
-2VEboRTbsekutEl/LDhtjwLHb5eVPdKmj7Loa4ja1GPHk8b2JN4egMScxz02rGRx
-znHcIT7SHGo5G10okV3zq0peErdMSW9JR7q+dTbwGizHmOTqOWDzDF+wRCJOWBLU
-t87sUWFJxAyofaM1yIPvzHn0ISGKP/AzkBckU90Mit19EVzjUqYXHpfWH+dMYH6q
-uX7hv6umim3shwKCAQEAy1AvxBeeic0vd5Z36G9CIKdkfnvjpN2wxF9w4PEunJUX
-h2BtCcT1S+lWOORd/RhYV3SSH+eu7TYpjs0dTy1NluxA/cgxK5Gb4CmFNNdnC0gk
-5Bj/gd231M7Gs8K+o52eKztuuPCG5fyWs72q0NZzxeORYjmBnGKRx6x/ryVHNc6D
-wcsElpYS0Tyk/gSGkEoWMlNTy/sJ0pGpEezp8mEkbi0q45kI1PbvMO9bqFJ5SDQ+
-4K8JYpaf2Bc/77J91El1Qmw3RpXYYC+tEncFqQedTGQFJ0Yy/ZN2L+lDFlDbHo8q
-LNB3vUYvQXwQ7eT/3LMUxD+Fwk7mRHqA4WY0yk/7kQKCAQEAvROHrBme/+DsbubW
-w6atU1C+TEYTyoFQfqdNIEvFsI9jN1TVBAR9247gmDId/mzlTmAZU6yDah+7pDeH
-KW79Q78slTDITO3hS1+Lk7e04bLKm2yMdSiXEe+FKUnKlVS6PCh7cWZRSRSpECw+
-YUlrAt/1jmJT2g7oG3VuiubHZ/XvJ7gdkopR9JIlV1ihttMlxtYW5zsc3qEiqFEM
-grgBUNo3vNnbEyb7USKcEl71HLOms88SoaIhBxQlmx30Kv4V/oRKPvYzyJOgu84s
-olxjTwl995eFlaNTlRdsPx/s/6LmHHEfgY3zUdBgXHqMilxgYC2JOuXgM/ebjUvK
-hIDSxQKCAQAWdd1RBGr3PjuoMm88tk3P3a40autTI0qL5x9JOluz4KSgx/5DvgZ7
-RGPKFTBs7WuU/cPG0ol4myssI2zBene/3Imxf5QvA/78XJnipIk1rdqleD2B00Sj
-tdQtt63n1VnL3Nz2gVvlvGnJoYJlX8uaaPF+sGupIxqHvH6+kpezUgUsO4leOWYK
-x3BSv50+A3FATgRL3IfRQ1YyLMILjL/BjCvYyOc436688TRm+/V6DIuFttCKm6k8
-7hSaHlXYReU2WU4h9hvZRGsSRyPQ8I5oCgSnuhGYAdpkoJhQts3+KkK2gLE5r684
-xMP6A/pgH0iEBaB5Ps4hcocaX3glgYCBAoIBAFZsTWy2sgQCe5G3XcNsaa2UNl39
-0lBbFFmvQff3QqyDoMrvTGmXh84ni6by7ouIQsK6toVEufLo0ab5tbg7gPfJPa2T
-1+yPO2pcRX3XifAPTcqcy6yP45F4fu9/ZEISuzk3ZL8vQloqNy6P3SUmcH7HnEkv
-yZyBZlOMnGBfIkSpQ85Sh+Lwhf/Y0yaZHISeNubRvqcx47LemNeZ7Jq+8fzH9UED
-vfk68qx01s/PxV/xs2U96XB6U2zWlJGekTkuz4AB8jtqD594wdxVEPofL6rmnMJZ
-LIASsBEniiVESphjqwv62EPmqbdSB5eBWzcl+U2YFMUilhkO6YN0LpfJSeI=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDCO2v12Ui43mH5
+zxy9oNzn0biQVN/AhPOJbkgdS4ivxJs7gA+ZcpUsfgclKv8qkhYauLWu9rGUO2YI
+fpvVAy/Qw1/QoJQrroTuzi84MiIj56xIBy+WUMq2sljn/Ou1fYd+CPXDbQOyzUwm
+WYpqXE4Aipug3mzfcrL+vt9P+0oGOyW9YMghGzNh/y6wkEoXXDtYw976kk+/VzO4
+4hxi8G3WND0y0XU9u0hhWTXoEP+nyF6i3MasXGgD5D05aHeEvfmvjs5pUpFfqVdf
+enddZR+t7BnDjoPDo+UXMNmWmQOhOQ+R1fxZsUfa6QBrEQKQIf9wq3Cvoo/1MRti
+LRfiaHlP/mL7J0MaR/Wj0ET6j/Kjgzm1DwBtz5G3paLGjh9fYVEELUMkwg5C5Ecm
+VkOXn0EUhIB2S++8sgLAAY3svYgKWBSVcsLm1Bk2Eny76Jh8NGkC+3Uits+Ov59z
+MbEbknFB6ytdItwDjmNGijQ3jXa9g5wDcpUb30S6yKycT7IxLZGoHUoHftmkb4XR
+TiZex+ziqqF4+XJfgwe9smCoJWXNCepao2+QVfoHjIV4dAGcGVVfMVE92HpYc0YK
+pWmb/U2qwK6UFIXkt8Xam51ogx1X3a7qnPFWYXADhfptmitk09FP8bwEtlHpU5VT
+W7ksu5thrRm3HZ7WwJm60nrSsEb7uwIDAQABAoICAQCqAb7eYoBfp+6T7C+Y3ztc
+AVoNouxyIyzTJt8iHSIXzvucmduNkRh26Byy8K6FgXatju0fprgKKe+GEeOuD+sD
+TG8KOfNXRJsANyJniqINUVOffAKwDClSvkpJTDy4D5bPv2H12u54y28Sxh78N6zi
+lm/f36/l6Qw5I7Js3GOPjqfa2eJx79AKv4QLcVAYoFclu9Po+LWqodYYxnjYNN++
+tNy4JVP8Y3fYFXC0nmRXZG9JF/shlIRKm7TnEcRDQNFSU6nh0C6ET8G1RYlDCycu
+YVCvtYcpb8Quh0h8o5PkwwAYwvbtPtnJB1ahYDMhG1DtOnIYmS5uC7yPMy8Lsiwz
+TOubZf+43bMLBwDDvVIW2mpJ2L97qpT+XzgoofDhXVK0q93BzWi5q8GS08mlPGQa
+tGttm1s9gqvGYL6YmGCqBLmhip6f5QoLapcKk0d2HEH1Rn/EQGtvmX091D4rb62B
+qoDaRJYb+CTdR5VB/d+upGbLqUJt5rAPJHB/cKMceMxGg+IRyxurpkKMdpJOH5fU
+rscD4zmksN1id+VekM4qII+vEvU5Q2LWgybVTl0vwo/g9U4iDNd9R0w8GAGxyvTW
+ZDjNvmC3XzOLe3lB/3QxTIZT20r5rytgAua3/Galr76MtAIySWgzFBkzxR6hJzN+
+SqB9V6kIbgAHe1t6IkRJ6QKCAQEA4nuCwpQvJZ6TpuuXtNJRCN0WBQVidUytnb4m
+gc57iIveKtLOgMpluaX/PSdYoLbc9ePLNd1n4j3ExXzQOqKX8Y1s/6GkbFx7uUKS
+7u0Pxi3uSadF05QgCA6QZo8NwB8lcsHUb7ftMFXZLLf2UUE8cjqmKlVfo83c1jOT
+uNOx2F/H9admLJx6oQl+Ukf+6k7ogfbkhAlkNwudRDNjtHscFeUy0h3g3gOKsgbi
+isYRd2TsyEWMkrUKNnRXXy/cmLovYfGMSTQBqm1ZYllH2I0+eP86wzzeB6oC4Nev
+Sn6cCNcftu7SFwG2GVWk9upBLzH9lQy4m3pt86YVwNeW7m0Z/wKCAQEA24vkXkLB
+CNudOwuNLku/vRbMqX9sONX6XGhHVgMyFnj6MO4wh7Qksbn8Uy7HrlUz8b+JPcKR
+cZXJd7HMNSqZy+Jj1c5p/MOV0VCYBr2zk/IW2RlWxUCeQVVhwz0Cwkpku2ode7vI
+3XrPCB5PZ22jt30PbsoTvjGJvHl0Hryg8CmXW1fcmrjFUDtgzyFKidP+Z5xxeBpu
+oHqWd0XS+TLeVjLCFKTHBmklh6Cl7Vzp8iRXsxngzlbRwegcWsA/pGHrv2ybOgkc
+8IedltbF+XEw3nJbeUuyaBy38LN/4EM5pYdhdNhjnwn0D0QmKkf/0uKsrAr6JKB7
+40uCx4hsU70GRQKCAQAdJk5vIslqqx1P55SwBj29yU7TOJ0ygbr6yYWFQYEu0um2
+U0mW0/YBzfaq9Ux36vFHiJkYBrYfLVoNHQJj+Zda1JwJztEtzT1zW7kznTlhhXnc
+6vWWxMLWpqE5QgJADwIv4fiopGCXzwTTt52xWZchEKFgY3qax507yImjyUNjmPhQ
+isogxccWwPUMPA34NE3CpHdG8zp9xzXnmEGl8g5sVwKSfpv5lzUbsr0npVSMLGY5
+ZJIyM7Drz0+Lhcp7scL1dTRcG6B3Qfm2Kc2QdqVqx1bV2Bivndce/0Olb+Q/UwjW
+76gEpAi+/AHucboQC/waWffMsxZBvMeh+V2ItGwbAoIBAHk95/+mHbQmk83nsy+9
+5UUnMh7on3tDr98YN0zotuByLriW0XYfpaQAcbf+PYeoxebbP487w9ZWQcw4A+3Y
+eNZ/T2LjeuR7nmDZgRs359Pr/XIm7CRCayLpY/PN3ZguPTLCh0Wtjl/BUlPJaVBU
+2/SYu80TC5QdB1NuPxI6WSZH0a4/9zP6lfyYzf2VBPTYfcX6Py90aWN2T2HOzZOQ
+4/f2T/fWh5KivncH4JoUlZ2DNGtT/zH0ACJ1bDMxt/Ovn+E2uQJzxeeO/Rgvw2Td
+fX9a5+k0RHH6ahojBptyhINFICzG0z0g4gcMO4dd+4kaZQEdjsZrWf9L1A0c6bXU
+zYECggEBAIt+SqYWu/BYMMeWlmDUYN9rFzjwWC2reyT5Az4Og8OxKmnlkTNzncnP
+M/5g5bdDPf5fcrqfdOnJLpITYB7Cs4OoaPRhTZpbZBOmh3U7G1Rfbo9gywKfumES
+uE2GGi5cU9OvozzhqXYWb0rnO8n3Hzn4YRTboiLrrXyGBnJbFXPz0fdw6PkCWA7h
+MuRd3hHKeMqngHc6rzcumZbCVoD/eY0ZB4JDspYpJGobeVjf7riDYPU5ZhqV3jD6
+XMo6qpbPB4gnlJ8KcO8Oosp1I6Kap12LLXnaXqIXQ/HqejZLISGbweODT0gpSrwM
+wBV3ZDCMDsw/DG/8zGQvxjKrVqzFWyw=
+-----END PRIVATE KEY-----
diff --git a/__tests__/fixtures/certificates/server-ca-cert.pem b/__tests__/fixtures/certificates/server-ca-cert.pem
index f85c614fbe..7fbc831ba1 100644
--- a/__tests__/fixtures/certificates/server-ca-cert.pem
+++ b/__tests__/fixtures/certificates/server-ca-cert.pem
@@ -1,32 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIFgDCCA2gCCQC8rITAE36eyDANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24xEzARBgNVBAoMCkV4YW1w
-bGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMxCzAJBgNVBAMMAmNhMSAwHgYJKoZIhvcN
-AQkBFhFjZXJ0c0BleGFtcGxlLmNvbTAeFw0xNjExMDExMDU5MDRaFw00NDAzMTgx
-MDU5MDRaMIGBMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJv
-c3RvbjETMBEGA1UECgwKRXhhbXBsZSBDbzEQMA4GA1UECwwHdGVjaG9wczELMAkG
-A1UEAwwCY2ExIDAeBgkqhkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dlk+OKb+S14hj/EHVUMzGSAfTpc
-TJgAPxhaWChp4ICBspYX3OrIdQ4XXEzJYu0ZFIxhV0VD0XBB9XEdmyaJpgqJORFi
-MplDtIOAAsiHL64g7ZW8vKrVH/VWnCk5lt4CX+u7bUzhcGo11Esmvy/uAWDeStLI
-m+49esBbr3nL+oYMaGw3u2tgZgaalvozg4p+Tatl3J3TUgpt9fK5tpHwlGmXIOp0
-O6Lq3affXZzFivMm/jJVMGyV1/AowPCtXbhS1O8qQQKws4HZUx9Od34yzOpPCkQf
-Wl9YkZKd2OQ1MPTnpjiXluBEbhAPPHKq7P12B+wrlFP+4l9wNwqpTIxFR6j/iy+H
-9exO4yaU0QcaQFHOSPxVP3rl0KdEFq/oTkto23Y5nrEuwEZ9TVEdNaxiOElNy/qy
-cMUsFZA+4ne1Ly8FB44OY2hSE8P59jLFNP+A+XCTMK7doiJ5BT442+kxpIRQyfEl
-EwaRQm2oZzJvSU1G3EOYs/3hOzQzpCpaJuPT2zhis3wHzYtgVt2Q5EOaBQnbGi9/
-bV6881elI6+5jEahwq4zIlfYREmOm8wtDXkeajIIQrLMRG6d4YMm27F3ZCxL2tam
-LEuF6CtqoTEuxuJXM9zC7Rydiry7kszLkDJKvUmGgbrJ5qnmZBetZLoG3NivCWQN
-n2sJqcmOrRU4SfsCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAD8reWqvPTVuxQ3XY
-z5tOii37WDhVStUwXot6QaUCIouAIfwJDnyuOi4H8vgXzWcvwPvEXWRS7JJZn4Qa
-5DsuOo5UI60vvypZ3F0MrPQbWz3cwAzrVVCw138IfMUo2dLfW5tcc/2zIg31zStV
-7wREbMRX/xrqkyuOoe+1zvpk7oqaXff6aOluqtZh5Q0g7fANt7Lpb3TIJF1lHxkJ
-mKaPHUbSwxXjv42pliJlivPcjELRCwZDfNA8t6FftmhTo0ReRrUP6CyvZJjEg+2O
-8/bPstDs0bqE9KCYFQmroGvfwZj2DjiAm2P7DfiLmfjfojqgKFW8nw9ZgCyHFD8t
-OB7gqlB5PR11Y9IRzdV9RO98lmitVyHI+IPkoj/Dq7L08jXl4NspOml2kwlvXrcG
-k14IQz+Wy57UyD8C1ZS5MkHM9Pza4uvEmFND/SkN1rAJh+nl2ufZ6qSRzA39S6EC
-hi6D6yh7CRpPlpF5rtdzAJMjWS+/JXGBmzzdGHNAVKuhReIDDS5mIW60gJkCF+iM
-K+jdVGPOxiN5ODSJaIUJadVHe/QDmFUTYMtho9cdJU4NqtDwLLzLS2sPg9BKcazb
-3A2b2esl0TtJI5iGgRW+oDlXw86Z8A5RZPllBJYIuuFe9Ger7bjQj8F+lrHOjnE5
-z25jSi3bq2l8JLZnANwdm1O/TLQ=
+MIIF7TCCA9WgAwIBAgIJAOQ9IRk5pctqMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
+VQQDDAJjYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0
+b24xEzARBgNVBAoMCkV4YW1wbGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMxIDAeBgkq
+hkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMB4XDTE5MDgwNjA3MTIxN1oXDTQ0
+MDczMDA3MTIxN1owgYExCzAJBgNVBAMMAmNhMQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCTUExDzANBgNVBAcMBkJvc3RvbjETMBEGA1UECgwKRXhhbXBsZSBDbzEQMA4G
+A1UECwwHdGVjaG9wczEgMB4GCSqGSIb3DQEJARYRY2VydHNAZXhhbXBsZS5jb20w
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDBFeT4bPZ8OGivNZQby7cI
+N1DYloyEJZjvBkE61Ewdq1i6bGQVrxL/JrWWvCVrSOALUpovFGIqeeHoYq5IHSTb
+jd/vkvrGBymsou6lJYJGqlbL3GCDbF93txPTvEwKYm/FbvFMu835DQgZEaXuB/iS
+RWKUOgjf48I5buLHVmJ+V6INoYlQgNdtM0tSTOefOwp46NEzOwlmNAsQURwOVgwX
+Aiqm8862hlB3y8zaV9xh3nvinMhTbTlWOBKuJD3us5OCmpY6KJVdOhgdmusFIHSD
+1Z1y0Wk1s1abZeChUYi/3MJgGL/sxgk2fscvRTukq24xqYixcs/F39TEYsOtNwO0
+qL934KY860BdBjXSwv2TMA7vLrMBfKiyYFV5Tg7VeiKMYuvAMiJ6pcycI2AuIoJx
+l9RcPrqKUATkjVbk5j9VowokW8bMpCMKqBAh8eAj93vEVbk56MQNyAQzi0ua2HIS
+a0TH+Z4cLXxVNQNDOg3u/uYzCJqVkkUy2ACuN+KY19/owCDEBmjHf3YEeNmu79nP
+8eMp1qDxGaHrB8Mbbs4u35oKcu3/osAAAv94C4rYM1GlvRavzMXaw/w6THXzAqLR
+HUk4TDySH59lprorRwi9O5MEseu/VR6kpVGFaqf8Uk3roO1PLcrLl7mIVEBMT+xr
+dsQZ2t5uPdRWl17CC3FPjQIDAQABo2YwZDAdBgNVHQ4EFgQUiv23fsFng48bIdox
+T5+R4ZyblCUwHwYDVR0jBBgwFoAUiv23fsFng48bIdoxT5+R4ZyblCUwDgYDVR0P
+AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwDQYJKoZIhvcNAQELBQADggIB
+AGyXNgSgEKTsP6khvdCIognjKBPxHloKRa1VjVDISsOTrhpnpzD8iK5fI7PLNTu4
+I57O90Ouo689np766iUIWTGDX3gHXLwPjvEtHFBOctfkDRD6vSk6jT74AWq5SM6R
+i+Us6iLcOoyJOXfpRA2RJ8mSmYpswmY16s3vNQtBQASDEgqd1+tuKUXdf1ijBUEI
+fua0tUBfmroEDphzi9SOyeo3KbXafjrgHnRRF/EZS86UuwI1OEYqfzqzZzU2aR+i
+zKdA+V5m/myfgiFHWnN8hT5TgJC3zjuLrfPE0oWF1xUJouMhDiKp0tWu6S4wyU0w
+cxtpCBPoeqjVr4eVyvmpFREPIW6fANUT21QDTu22gjorKoewoFlt62Q/SIiVe8Fd
+zMNLzJykHzP8W5E4p2lUFmuZ+cgU0ASsqTf21VfWuBYOLMCe/Z1mRw/egg7/ZlkB
+dbgbZVj0hkfh6zGybtAeCPVQ5g+eQ5AOJCaW30xs8zove9Ke6/Pc/QPQ/nU5KhJX
+/Vr4xnoOvgq+UM/CwhYgqMcqk04czBF1KHKPKPFv4i+XDZ++cckUq3PMvWHMg8Og
++9LT8+6nWhoz3C2khOeRXJn5JV0+NqrVFYSrk1Ck2Z1h6dVDhz25fyPV+9+hZlDL
+iG8MH0iCyXWz6kiZKW0s9LV7AW/PUPU/rZdS+P2HgS0E
 -----END CERTIFICATE-----
diff --git a/__tests__/fixtures/certificates/server-cert.pem b/__tests__/fixtures/certificates/server-cert.pem
index 48f07af5e7..5350c49748 100644
--- a/__tests__/fixtures/certificates/server-cert.pem
+++ b/__tests__/fixtures/certificates/server-cert.pem
@@ -1,32 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIFjDCCA3SgAwIBAgIJAJtFZrwaJuixMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
-VQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjETMBEGA1UECgwK
-RXhhbXBsZSBDbzEQMA4GA1UECwwHdGVjaG9wczELMAkGA1UEAwwCY2ExIDAeBgkq
-hkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMB4XDTE2MTEwMTExMDA1N1oXDTE5
-MDcyODExMDA1N1owgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UE
-BwwGQm9zdG9uMRMwEQYDVQQKDApFeGFtcGxlIENvMRAwDgYDVQQLDAd0ZWNob3Bz
-MRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEWNlcnRzQGV4YW1w
-bGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArZgHshixyZHR
-gO40abko3ZZNat/kbDjNyECw6JEIBKOnJtHYspyM70ERQEieTsFsI3+7shbQnSjH
-KFLcBO+afThjeqalFGBaZR/G5NeTMSmgT41EcBYHGSN1thG2u68SUatgpFNSiN7y
-B1Ok9ITTrteOxGdPBeqk55kCSWBWzCK0NTcM9Wd5uB8ENlL1707qJYtguJs3VgKC
-jwwKo6g7wosEVegJCUj5MxKXvLXD/s2sqzz9b3e6E/1HyjzI9DPbLuYrSbiqXocQ
-kz8OCXXftNs4C0G7viXqJLHgwNsGv2Adiofn60IVLvTGxXRrStJQRjnpLwqoaQPg
-dfLiCai5m4AXHzupeYM8GsRMNQdNNhQ/sw895DEdRctpHLl59OAOjxCzchCdmumQ
-5H56N/wQFed0nWG0Nd6s1LzYjumypderXEZEkzQbHb9TedpzfeoltGPzSNAv3Q9d
-TLlQ2F+uCUz6X717Chu2cPw3cLv14HAGVvd1kYq6YLA5z8r5JJqHzcVTROFhq3Md
-ymIDWwT/GKPAjCOZeiukqTg4RPbN1L5INNQsZhmPAzshLx71tj4sYxwv/wDRDb+c
-jYCNXBmjpoWXMO7TCqSbekS/KTRFpPNXvxuIKDT1zV/V4Su8YkW6k8e1168I58af
-sfJJkTpBdQPebVwsl3F3YQ2IUSedAoUCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEA
-p90peI0UMLbw26zVZ23FwEXg45vLrDaFRMF8PJmNOF+RhfyPwWlNb5q/Pl0QJGEt
-xhQksFqaubkZkk+AQ3DlRZOmiZ5qKjesJLKxHIMSpXDMo/DrQSbwa3gEaRQEICjJ
-ScDyjcNciogkc7zm3DPf0+Tk1vBYBYGlCfCBtkXMJqJCmLyvBQIt2q062n5JtQpf
-8IzbxdAhqleAkjZbX8ZStYALKVQHNy833J6FQk9afol2X3VoS74MjhGQnLm/5n6R
-BHR4mvULP4boe3fVdp/0pAMWTKlxXbh7a7gOxQau0QXNXM2YVUoDg+ARGVqjx0Pz
-DrvADc1HxMyC2wJ8i1d4jSuAJ9dPNiOKNeUHRPL5/XCv3K4cl8oOg0K0Mlhwmvbo
-pZG1TroCoDbO37wAhdMxLOoUILdzt/pF1CbCBBAaFQJDdRjlVhnBkz5JKYc/aP7L
-qbDzUH6v7dxykNuwRMgiNMIwRk2odOwtFkfV4x0AhcYtOnbKU/YbzJswJk5gwFhx
-sZnoTHewYoMzvGziRCkHYh4TEsWQnOLUju5yaz8XS6hdKM/bDiVx3NoK0Xk3LHjx
-a6oQRTtY+j1Kr2ngeT15yavVUtocRWkLoeWu37i20tgnOpjk55XdrHlK57saPJtv
-0U9dxcNZBv0QS3d7UHEEDw2tWxY5LkG0YIO/16ogCe4=
+MIIF6jCCA9KgAwIBAgIJAIUfwLpI3Mh7MA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
+VQQDDAJjYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0
+b24xEzARBgNVBAoMCkV4YW1wbGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMxIDAeBgkq
+hkiG9w0BCQEWEWNlcnRzQGV4YW1wbGUuY29tMB4XDTE5MDgwMTEyNDAwMFoXDTI0
+MDczMTEyNDAwMFowZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQH
+DAZCb3N0b24xEzARBgNVBAoMCkV4YW1wbGUgQ28xEDAOBgNVBAsMB3RlY2hvcHMx
+EjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANOEdyffD9R/rWLDLB9y5EzdSgQxqPBFWAFDo34HduYinDwsctX/6AVJoMwh
+qxMNqkRTiALBbAyhQXOAWZb/rPFOLibytoeYWlxNpbtWvPBpkQqhs5WgJwMu3JxX
+QqgEZ6IkBlVO2uxATTk4FU+cixCArAjOBrQRsUOApAok9szpLfZOd9Ut9b6BoW2t
+rMwnCLaLbsvp290ExPF25gYdiv/mtPgMdhrI5VgIInob5M+CereQsn7uvQbTeiM3
+whXLjiPlqeZXETi9Y1HdjQeMcS8D8l2QedZwMMNhSa86hzICjnw0/rekgRQgmRtt
+nI7AZlLmtYtWxt0X95lv6PyHP1lgShUVGehtbm+f8vi2Cb5Qpk2ZvZP+kFLleeqw
+wf5/m/ZXx5wCe8JGj195NxXS0bJokow85IppMV1xJf5FsFWsEfftaKlK9b/QkQo+
+VeZ7yTRTTXIygsllKobQuuo3cvV2PDBt6EnXMWudlxNN6GRvi09tC4K2DB0442AY
+/qD3KF4MJFXqomcXBpVbhx6yaUCLHQ2O5mpCWf/7f/6urDRSJtnOub5L7btEp2YZ
+RCn8vRSzFhhaJ6yqjRJOJtu+2iERkcs39FK2uNcPOfYPI4pnGhEiBsXClhX7pknt
+Z0W7JoA2VPlE0ozT1GiKGjRPdDUICsNnX3+MI9WgxNWwq4VxAgMBAAGjfzB9MB0G
+A1UdDgQWBBQkUP4b4vFh23cWwFnt+8N6UxXsyTAfBgNVHSMEGDAWgBSK/bd+wWeD
+jxsh2jFPn5HhnJuUJTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAEWs
+61OBlPRofZao1x1qLKPmH1FVerazgAB24s/g3nbTfiJ47OSjtDu9YMtHjmQ0NKh5
+5O7Mm0r1yoNeU6qUWSM3NmhWeJCzJG6clFo1b1AtVECCeq3dAPdsILKiVX2KzjmH
+0Ek15joein0a2qdzcwclsx5B6MsWr77ciM6tIBtD/Lt6l9CNiblB6hThAy5Kgfyk
+lK6AXjdbq5IR0L0qZNDUunn2ewzU5TAEiR99GYa9BzZhAfM+RQhwZggQ/2ldfygk
+BYR9qMDlQlfs+5ZrIIvKTcuhgc7GcSq35p8Ack35UCGzJQR97BVSFflVksgK0bHE
+zmS22RBPjBkGO70X0SHpXCFlLZZ/qjdJL315tdD6q3Pdfpt0igEXwoeSZwt/7T9E
+2X/QfEv9BOzLmed8DR8WWcfGn2FR7H7fEuyRWc+z+PlsEFYdVVXTVGn0CNg8eolt
+gEbDalpJOUtnYSK1xPXBO7hK/TQFd10r5wm1u1x0k9/DsBGJeSNukdKbrxgwzODY
+fy09AL5oTzyYD8jPSF5QcqNh6qmO9MBsIUxSgv6Rxk3dUvhiqCpioMjUmnfoaan+
+GvmOCM3k0jAntU7Vky1Ew8ljtxMlN0E0Rf/Q3nccswlTWQLZFGFFcbuOMBff9R4Q
+YCvZpXOrf5hk1tJNShFmWykD5GHxBtsybbc1Zug8
 -----END CERTIFICATE-----
diff --git a/__tests__/fixtures/certificates/server-key.pem b/__tests__/fixtures/certificates/server-key.pem
index 68e82d7e57..53ceec103d 100644
--- a/__tests__/fixtures/certificates/server-key.pem
+++ b/__tests__/fixtures/certificates/server-key.pem
@@ -1,51 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEArZgHshixyZHRgO40abko3ZZNat/kbDjNyECw6JEIBKOnJtHY
-spyM70ERQEieTsFsI3+7shbQnSjHKFLcBO+afThjeqalFGBaZR/G5NeTMSmgT41E
-cBYHGSN1thG2u68SUatgpFNSiN7yB1Ok9ITTrteOxGdPBeqk55kCSWBWzCK0NTcM
-9Wd5uB8ENlL1707qJYtguJs3VgKCjwwKo6g7wosEVegJCUj5MxKXvLXD/s2sqzz9
-b3e6E/1HyjzI9DPbLuYrSbiqXocQkz8OCXXftNs4C0G7viXqJLHgwNsGv2Adiofn
-60IVLvTGxXRrStJQRjnpLwqoaQPgdfLiCai5m4AXHzupeYM8GsRMNQdNNhQ/sw89
-5DEdRctpHLl59OAOjxCzchCdmumQ5H56N/wQFed0nWG0Nd6s1LzYjumypderXEZE
-kzQbHb9TedpzfeoltGPzSNAv3Q9dTLlQ2F+uCUz6X717Chu2cPw3cLv14HAGVvd1
-kYq6YLA5z8r5JJqHzcVTROFhq3MdymIDWwT/GKPAjCOZeiukqTg4RPbN1L5INNQs
-ZhmPAzshLx71tj4sYxwv/wDRDb+cjYCNXBmjpoWXMO7TCqSbekS/KTRFpPNXvxuI
-KDT1zV/V4Su8YkW6k8e1168I58afsfJJkTpBdQPebVwsl3F3YQ2IUSedAoUCAwEA
-AQKCAgA3aPqz32wIcjIUXHSAdqjTqiFGBvdLkAonbHbLlVeg23gETSFFSfE2gWd3
-RHa7nsPcxO3tl5i5QYXomiI+tRhz9ebTBJRW37aa5ry+2QzTuXzBR89bk7xqSsZM
-+nSAjg5j4Tc03J/QrpFEw2842ZkUCxw4Ft3DfrVqc42mTEkIWd95yPuq7X+NxOC8
-UljMLT1SBJ437tuH6b8w1+AhgxaoL2WP4kPYIeHhaoLiqoZIM/B0rEAdL3NG5Cbh
-J+vg/xhsbO3OV1KSX7xrs8nQPT7N5NeLyEycElAdrGWYSZFqzsw/JshhcLOATIOS
-DWod9OnIsL181YMSGjmwjHmYKbIsqMpOk4GjIHLutVCgosofhnH8Yz+XCwlCobyj
-a98xuyXPI3i6wEk7vpe+8tPVsHR0iBP+wND/QV1xX+kOC5JK+4mStIy04j9RBrQO
-jAsDejta0V3v5YTVOwkb7Dh5867jjOyiuhrtjLOrJvnm/8AW2qyv4r2NqG23S1Lq
-Hx9akPQ08WYPB901MkqfxSZ03s/3ZfRT8VsmAra9JGSxlbtSnWWMsqly4AsZIPmj
-fp6/UY4X7I3G9dGXaOOCP2gfZjwW+AWbKQnrF0SUeAxvSSMyss8eQsEfJ49TkEgb
-zPjJpA9H7wWDNQT7iNFqymipsjEeoHD8lCnPTho84b6QIgIFYQKCAQEA3MExd6f2
-Rd3H85x/D1sgrDsVFj4+hpXFc/U2qgtQsEbURjGPEL9rmFdqKxBN1WLq29/vSPek
-Td7owmulRHJRv9N4o4tPGGU4IHzMhDie4YZQxhuuw5W2xQlsGlbJD/MbZVqodhf1
-TKFwvpvO5TN27qzkl078EgzWXBOZ7JUHyZiY4gNnPyFfZPSuq2oZeG8sNG417lTO
-eVEZtsRuwihuvPuA4BmGONgQq1T0H57nKPaT45NxjqdmhidGoAsLCViFirIvCO4T
-1eG3hTTCbDNc8khZJsowShDZJwRb0DLbDeo7pIhAsa8oQtH0kIxFsTUh5puf5qHS
-MkISHCayHSukrQKCAQEAyU9BN3c+XXFToc/cG7glh1P33iZA4ZU5TUrKVfAreFGM
-AMI0ifhlxu7I31qvRaXytWvLyZxe0uQ7+Ls7/1dHk3lJ+lQEt7bJdhksb6crFn1t
-0F/jugmv1Mr2eTTY9kMxaPxx8X632yVNpfhenyA4AbpvjkHFaBdc6gimppTYyHsf
-CUkUsSp9InDLuwai3Bvuqb9mc4tvy3pX8es0DRt2nXNMpw9qu5LYIJ8OMS4hshq7
-3Y37v8Ruvd7sTpUaluCiUZdrFdDxENZssoh9AqjUyUuYNJsXl7Jcpp5wmfqYyw79
-Mg27edR19OSE1WeIOUkDdvGB5uH4cC1BlF6ZnM24OQKCAQAJ0n7E+DA5A5k1+ayd
-nkxh3W8ewj499sQGWM7J2h8I+N3REbtv31SGPr12lQ8hg3k3t0sKUBp7bIOmwutj
-lEKW6m3fuP8X8skAiQ0AhRRsrHFDn0+zXCH5umWY9muTzhlV9SaxuncrpbNCh+Q4
-xoVwMTkqklUc6H1RM34RzL+/9I444DXj1TRNZaWv8tSXSzsISi8UH6ngM/+U5kCX
-Wv0yY25kij4yoUp8lRcXoRZf+Di0U4cl9cTWC0FVNaiUDeBDP5JgL1eqmJR11Nch
-wVdNYHK3CyAC66T922/KX7jncZidxYI7ZbPA5V6gX91p+Rc9D4eZ13Fm0xHDNuWN
-7rcxAoIBAGbpND7Fn8UnLQjYeP5WqiC/ZURUq/BmV6/SnxNFvwM4NOkiXrd1m5oR
-8fB0rItfZW8nVzuOy87lzF7AYNCM7tNOOupUz0CXme/cuKGvhNBveJcAnis5zoBq
-7YtS3+MswHKaMymwjQ7jyAkjqkOQtfD0PRktOFyZLO+bUo5wI06B2oDlskVLokLc
-BNpsbw803FI8vYQt8Q3FUnYiti5JLt8Y1UPGFtsjG4e5qAiuO52QGyAM+Hi1U6OO
-9aDKipg8593sGVtCwCnKZDD0o2uboYPyODIUYwAytziaYJfmyvtrgzZ2XLPQUCjM
-NbfewH4AfFvu5GiCdn3qNM9DeSX26MkCggEBAJwFnnn7C/bS5opGRRdK/IXPD0jn
-aquc6Xn8sxTd1imfVEHsFM+XkloQGF8kak9zyjqU/WN8sxvT7TgeOdpAT644GeWC
-QAYRIomD1WoLNPwmre3Ink0PWmPEW3H5pVsSSqQ1XjSA0bB/EvIDwP68xN56r2lR
-YtWWWzIEVjpdgo1SiLqzWVbYC3rleLXuHqGfS6xWV9BlkzDEzNUdQMnpgK9c+rkn
-kjc5VdYF4i2IjeRHRaje4JKHSUryXDvQIEwDGPSeoD57vCX5BPheRBGKn4b4kjxK
-CfFJiVvEwoJYQh51KXh2Q7FRSTLVqYwcujMJYH4cS/JqcKXKdEoxhDyQFWc=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDThHcn3w/Uf61i
+wywfcuRM3UoEMajwRVgBQ6N+B3bmIpw8LHLV/+gFSaDMIasTDapEU4gCwWwMoUFz
+gFmW/6zxTi4m8raHmFpcTaW7VrzwaZEKobOVoCcDLtycV0KoBGeiJAZVTtrsQE05
+OBVPnIsQgKwIzga0EbFDgKQKJPbM6S32TnfVLfW+gaFtrazMJwi2i27L6dvdBMTx
+duYGHYr/5rT4DHYayOVYCCJ6G+TPgnq3kLJ+7r0G03ojN8IVy44j5anmVxE4vWNR
+3Y0HjHEvA/JdkHnWcDDDYUmvOocyAo58NP63pIEUIJkbbZyOwGZS5rWLVsbdF/eZ
+b+j8hz9ZYEoVFRnobW5vn/L4tgm+UKZNmb2T/pBS5XnqsMH+f5v2V8ecAnvCRo9f
+eTcV0tGyaJKMPOSKaTFdcSX+RbBVrBH37WipSvW/0JEKPlXme8k0U01yMoLJZSqG
+0LrqN3L1djwwbehJ1zFrnZcTTehkb4tPbQuCtgwdOONgGP6g9yheDCRV6qJnFwaV
+W4cesmlAix0NjuZqQln/+3/+rqw0UibZzrm+S+27RKdmGUQp/L0UsxYYWiesqo0S
+TibbvtohEZHLN/RStrjXDzn2DyOKZxoRIgbFwpYV+6ZJ7WdFuyaANlT5RNKM09Ro
+iho0T3Q1CArDZ19/jCPVoMTVsKuFcQIDAQABAoICAECNX9QiRnGC2caXbALZDIXM
+z0cCZN2XPCl+nAnde1L24xmWMyHObOAYPWOvLses1vbtS0gUAcbE+/WlCTKFKyGl
+y34FeuFdBM7Av8Cx0w3IGgTVnroeW2mkRp3MH8KpPXuFZQ1p+HQ7l5XL4O0gCGzr
+6BTz06Xm9GN2ghm6eDvHOki+X+IGmcYfR8XySBcyHn2fhhvjbj9Asl5C/CaHo6E/
+pqFBJFY+U4gPS35avvT5jDwzg9YrRDMuHUtcO/Zs3h9kevqaPd5EJmiYpe7U1MIV
+gUU+z4A7UxZ9vYAl65a+ov+TKN2g7efXnwJ47FvAqjnIwUUaIazeIKmKNt/C4vj0
+yuDRj0pBicEe61d+8YzYgM4KtdCZm0+BO+yikx2tbbYviXYNcx8mBzxZ93DqDogT
+YqZZlgKF0/KubXkZVEKgBnEnqluufNcOy45yb1Ujy57FzaTxpe4Omtyk7r1y3VCI
+8Kq3rWyomiDViTBlmDz4Sb213EkxzoFeOAB1lQlejjF8zUUp11njKGCZKivcUlXp
+4ki9zEv8fYy/tiHtr7e6i8SC4J6Am2751rj6a1wAjpOVf7iiggdEUeIt4jbRmPNX
+94EdXFpytdQBj6Q/Y3MKP+nCnOrBzENk27tok101s7mgsktbMPEFh3fNykskaMD0
+RoI9gylGWTt3NW42QnYlAoIBAQDviESB7Vk/w1It/XnzEj/xcCdPZwQ5HC2TtOgT
+ZnTn2vlY6hO3YXP6zP2QzpAL1uq3WKQvyYgoAcMl3LBDRY6gZOJg5KsenzEzOG3S
+lAhB/A21OqH0SEox1UUtfCeJZnOFMPM9BMPm1pBLPAW4tD4XkseuxbAc3wbCbMHV
+b8wTSgWBnLuP+Qp+mm6uUIikJINHLhpz9GMUlTkS8EpTNBJ87BLdpD6JtFV4oEqq
+TxB2Sh/exS6hlvPe+/NxTcjKM2Q+Snqn+uSb6Jb5jZqarbJnFnnACkKPCzXkuixo
+mlLs6h6xnN4iPlt/YC5c12v0JZKS5tdCt4oMC2MjvzpbRHjXAoIBAQDiDyQCIVy5
+u0+B88ZU+zVJcbyFzkho02w703MWzRPOXR6q4WcuvLWScfwcqG5pfMTGbOpQTCt1
+NZYXUaftbzGikSDJDM0AAdtTbAZI1+1DbfewiaIVuFtUci4E1doe3Y3uat4PzPQg
+1C0gcBiX0ceLeqlO6xme7Ufb6AZQsk/iZvc3ARG+wj9D+1Cmzb8LuAu1t5jhqvS5
+jnDNxhf22GDG3MPck+aSs3UqYC4k7zTkK93uKrfM7vQg6TzeC8n2nNGgFUSl3jia
+RBaSREnAxiQ2F4hZfeI6OTaFpeG95sR733DIXWIqUZUEoYUZ185z9cbbzE3g+xFl
+fe+LlsJJOML3AoIBAQCkZA8wZGamPjS+X4I8cj/0QZaZBgh98XrOLpBAEEcXgM80
+WKHjbzyb2egEY9+0YHGCF5HHQjbxzhPSfl1yLeCu78311bojL/oiPw4QQYxRTN1T
+jcPs1VgmT0pE5zpzMB8EQA4PyJ9yY7twBueeVgVvREtLBV3S0rXe5ak6BJo4esrA
+o4KOUssDDJX9iEPe8zgtt9Rr1EPTsn4TI1q/M7OkjJh+COTquRsXyFq1+8E+jazF
+xOo1+FWyqZPwJQQy0YZwwcjgVG5lGgHTj32VvrP70A8K33/CkF0SdztXJuLWue8K
+0rAZLFa7WpU3Hpl2W/r2WvtNTI2vqnkF5Y31aU7NAoIBAQCW+/3U3muMMar85NDG
+2bHRiAGebRS3zt4vZx8rT3W3E0L0Zu//q1KqqS72BRkZo5fZ38zwLK+p7Ux97q/2
+SZohNkVrgv040ASpRzE7Xdy+eKhCZOq5DxUQ5eIOoLa6fsfZQc9nRkCX3J73V2dV
+n2tjoV2LtEK8f0bLfcEaDL6GPLdJKZGskximUyifADRlo1tO131o3EHv3U9CYNiI
+qiSZLcIzhSUvPmU3FF49lPcCnrnv5OA2JDMx+BYLSFxwNnVcMlhTYIT1pBxfPPT1
+qGFvL3CGNSnwMV5VDWIk8Aizo500dgqmsS6SlT7M7/KYSMO08lPhvE72NpLT7LF/
+LkYpAoIBAQCNqwFJCm4MWZbCzGBqjOxdEmp6vvmIl2S1UUIoWH3jBbkMR9R5HRma
+1fJp2IrCYCWhhwbYV7atSWf18uTEZ82gudRdefruu5PZBGPStMHN9Uq0pTmoDR6S
+KjHc6GWd/yX4rhQb7exQyjGZXVgP9NOibuCa5mH5Qw7a6hIwIniOZev8nCAuppT9
+LY888zW2vx2ggEpyQKqu8ZnUSwDP6MUHA9x9aCCFHc9wSs4lR4aFLyzqyv9Ek94c
+mASU+w6/0mi94qOgAvj8kYRbfilKtkSdN8LTw7Wj6RNcwwz6kxWh3bWduCyg/N0E
+sWNV9GzIArdm5GlK2XyWjl/dW9/UvzmQ
+-----END PRIVATE KEY-----
diff --git a/__tests__/fixtures/index/run-failing-script/package.json b/__tests__/fixtures/index/run-failing-script/package.json
new file mode 100644
index 0000000000..ced76150aa
--- /dev/null
+++ b/__tests__/fixtures/index/run-failing-script/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "test_run_failing_script",
+  "version": "1.0.0",
+  "license": "UNLICENSED",
+  "scripts": {
+    "custom-script": "echo \"Hi\" && exit 1"
+  }
+}
diff --git a/__tests__/fixtures/index/run-suggestion/package.json b/__tests__/fixtures/index/run-suggestion/package.json
new file mode 100644
index 0000000000..5757bb3b8c
--- /dev/null
+++ b/__tests__/fixtures/index/run-suggestion/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "test_suggestion",
+  "version": "1.0.0",
+  "license": "UNLICENSED",
+  "scripts": {
+    "foobar": "foobar"
+  }
+}
diff --git a/__tests__/fixtures/index/run-workspace/packages/workspace-child-1/package.json b/__tests__/fixtures/index/run-workspace/packages/workspace-child-1/package.json
index ad2acf109c..3bc59de531 100644
--- a/__tests__/fixtures/index/run-workspace/packages/workspace-child-1/package.json
+++ b/__tests__/fixtures/index/run-workspace/packages/workspace-child-1/package.json
@@ -5,6 +5,6 @@
     "prescript": "echo workspace-1 prescript",
     "script": "echo workspace-1 script",
     "postscript": "echo workspace-1 postscript",
-    "check": "echo $1"
+    "check": "echo ARGS:"
   }
 }
diff --git a/__tests__/fixtures/index/run-workspace/packages/workspace-child-2/package.json b/__tests__/fixtures/index/run-workspace/packages/workspace-child-2/package.json
index 9d5534e885..6fff5b5006 100644
--- a/__tests__/fixtures/index/run-workspace/packages/workspace-child-2/package.json
+++ b/__tests__/fixtures/index/run-workspace/packages/workspace-child-2/package.json
@@ -4,7 +4,8 @@
   "scripts": {
     "prescript": "echo workspace-2 prescript",
     "script": "echo workspace-2 script",
-    "postscript": "echo workspace-2 postscript"
+    "postscript": "echo workspace-2 postscript",
+    "check": "echo WORKSPACE-CHILD-2 ARGS:"
   },
   "dependencies": {
     "workspace-1": "1.0.0"
diff --git a/__tests__/fixtures/install/cache-folder-nm/node_modules/.cache/hello.txt b/__tests__/fixtures/install/cache-folder-nm/node_modules/.cache/hello.txt
new file mode 100644
index 0000000000..557db03de9
--- /dev/null
+++ b/__tests__/fixtures/install/cache-folder-nm/node_modules/.cache/hello.txt
@@ -0,0 +1 @@
+Hello World
diff --git a/__tests__/fixtures/install/cache-folder-nm/package.json b/__tests__/fixtures/install/cache-folder-nm/package.json
new file mode 100644
index 0000000000..7bd6acf1a9
--- /dev/null
+++ b/__tests__/fixtures/install/cache-folder-nm/package.json
@@ -0,0 +1,5 @@
+{
+    "dependencies": {
+        "feed": "0.3.0"
+    }
+}
diff --git a/__tests__/fixtures/install/cache-folder-nm/yarn.lock b/__tests__/fixtures/install/cache-folder-nm/yarn.lock
new file mode 100644
index 0000000000..4ab6c0f534
--- /dev/null
+++ b/__tests__/fixtures/install/cache-folder-nm/yarn.lock
@@ -0,0 +1,13 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+feed@0.3.0:
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/feed/-/feed-0.3.0.tgz#65bcc4c9c57fde8e277faf4afff80c2d1d90e82d"
+  dependencies:
+    xml ">= 0.0.5"
+
+"xml@>= 0.0.5":
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/xml/-/xml-1.0.1.tgz#78ba72020029c5bc87b8a81a3cfcd74b4a2fc1e5"
diff --git a/__tests__/fixtures/install/install-production/yarn.lock b/__tests__/fixtures/install/install-production/yarn.lock
index 83f2533fdc..0d7972c07f 100644
--- a/__tests__/fixtures/install/install-production/yarn.lock
+++ b/__tests__/fixtures/install/install-production/yarn.lock
@@ -5,7 +5,9 @@
 is-array@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/is-array/-/is-array-1.0.1.tgz#e9850cc2cc860c3bc0977e84ccf0dd464584279a"
+  integrity sha1-6YUMwsyGDDvAl36EzPDdRkWEJ5o=
 
 left-pad@^1.1.3:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.1.3.tgz#612f61c033f3a9e08e939f1caebeea41b6f3199a"
+  integrity sha1-YS9hwDPzqeCOk58crr7qQbbzGZo=
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha1/package.json b/__tests__/fixtures/install/install-update-auth-cached-sha1/package.json
new file mode 100644
index 0000000000..9de32f63f4
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-cached-sha1/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-cached-sha1",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha1/yarn.lock b/__tests__/fixtures/install/install-update-auth-cached-sha1/yarn.lock
new file mode 100644
index 0000000000..852a1f4378
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-cached-sha1/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha512/package.json b/__tests__/fixtures/install/install-update-auth-cached-sha512/package.json
new file mode 100644
index 0000000000..9de32f63f4
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-cached-sha512/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-cached-sha1",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-cached-sha512/yarn.lock b/__tests__/fixtures/install/install-update-auth-cached-sha512/yarn.lock
new file mode 100644
index 0000000000..923cd9ada0
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-cached-sha512/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg=="
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
new file mode 100644
index 0000000000..185b68ab60
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
@@ -0,0 +1,19 @@
+{
+  "manifest": {
+    "name": "safe-buffer",
+    "version": "5.1.1"
+  },
+  "artifacts": [],
+  "remote": {
+    "resolved": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#bad-hash",
+    "type": "tarball",
+    "reference": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz",
+    "hash": "bad-hash",
+    "integrity": "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=",
+    "registry": "npm",
+    "packageName": "safe-buffer",
+    "cacheIntegrity": "sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
+  },
+  "registry": "npm",
+  "hash": "bad-hash"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
new file mode 100644
index 0000000000..c129437073
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "safe-buffer",
+  "version": "5.1.1"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/package.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/package.json
new file mode 100644
index 0000000000..8eede4b5ce
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-invalid-cache-integrity",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/yarn.lock b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/yarn.lock
new file mode 100644
index 0000000000..852a1f4378
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-hash/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
new file mode 100644
index 0000000000..4ccfbabb09
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
@@ -0,0 +1,19 @@
+{
+  "manifest": {
+    "name": "safe-buffer",
+    "version": "5.1.1"
+  },
+  "artifacts": [],
+  "remote": {
+    "resolved": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853",
+    "type": "tarball",
+    "reference": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz",
+    "hash": "893312af69b2123def71f57889001671eeb2c853",
+    "integrity": "sha1-bar",
+    "registry": "npm",
+    "packageName": "safe-buffer",
+    "cacheIntegrity": "sha512-foo sha1-bar"
+  },
+  "registry": "npm",
+  "hash": "893312af69b2123def71f57889001671eeb2c853"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
new file mode 100644
index 0000000000..c129437073
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "safe-buffer",
+  "version": "5.1.1"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/package.json b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/package.json
new file mode 100644
index 0000000000..8eede4b5ce
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-invalid-cache-integrity",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/yarn.lock b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/yarn.lock
new file mode 100644
index 0000000000..852a1f4378
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-invalid-cache-integrity/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
diff --git a/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/.yarn-metadata.json b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/.yarn-metadata.json
new file mode 100644
index 0000000000..463bded466
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/.yarn-metadata.json
@@ -0,0 +1,17 @@
+{
+  "manifest": {
+    "name": "safe-buffer",
+    "version": "5.1.1"
+  },
+  "remote": {
+    "resolved": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853",
+    "type": "tarball",
+    "reference": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz",
+    "hash": "893312af69b2123def71f57889001671eeb2c853",
+    "registry": "npm",
+    "packageName": "safe-buffer",
+    "cacheIntegrity": "sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
+  },
+  "registry": "npm",
+  "hash": "893312af69b2123def71f57889001671eeb2c853"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/package.json b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/package.json
new file mode 100644
index 0000000000..c129437073
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853/node_modules/safe-buffer/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "safe-buffer",
+  "version": "5.1.1"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/package.json b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/package.json
new file mode 100644
index 0000000000..308b3bb6df
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/package.json
@@ -0,0 +1,9 @@
+{
+  "name": "install-update-auth-no-integrity-field",
+  "version": "1.0.0",
+  "main": "index.js",
+  "license": "MIT",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/yarn.lock b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/yarn.lock
new file mode 100644
index 0000000000..2cb9827a12
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-no-integrity-field-with-cache/yarn.lock
@@ -0,0 +1,7 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/package.json b/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/package.json
new file mode 100644
index 0000000000..baea96337e
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-sha512",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/yarn.lock b/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/yarn.lock
new file mode 100644
index 0000000000..b852d6c68a
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha1-safebuffer/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
new file mode 100644
index 0000000000..631b0f084a
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
@@ -0,0 +1,19 @@
+{
+  "manifest": {
+    "name": "safe-buffer",
+    "version": "5.1.1"
+  },
+  "artifacts": [],
+  "remote": {
+    "resolved": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853",
+    "type": "tarball",
+    "reference": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz",
+    "hash": "893312af69b2123def71f57889001671eeb2c853",
+    "integrity": "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=",
+    "registry": "npm",
+    "packageName": "safe-buffer",
+    "cacheIntegrity": "sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
+  },
+  "registry": "npm",
+  "hash": "893312af69b2123def71f57889001671eeb2c853"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
new file mode 100644
index 0000000000..c129437073
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "safe-buffer",
+  "version": "5.1.1"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-with-cache/package.json b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/package.json
new file mode 100644
index 0000000000..baea96337e
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-sha512",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha1-with-cache/yarn.lock b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/yarn.lock
new file mode 100644
index 0000000000..b852d6c68a
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha1-with-cache/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=
diff --git a/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock b/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock
index 9772bdb613..c53270e9c0 100644
--- a/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock
+++ b/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock
@@ -4,7 +4,7 @@
 
 abab@^1.0.4:
   version "1.0.4"
-  resolved "https://registry.yarnpkg.com/abab/-/abab-1.0.4.tgz#foo"
+  resolved "https://registry.yarnpkg.com/abab/-/abab-1.0.4.tgz#5faad9c2c07f60dd76770f71cf025b62a63cfd4e"
   integrity sha1-X6rZwsB/YN12dw9xzwJbYqY8/U4=
 
 leftpad@^0.0.1:
diff --git a/__tests__/fixtures/install/install-update-auth-sha512-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
new file mode 100644
index 0000000000..631b0f084a
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json
@@ -0,0 +1,19 @@
+{
+  "manifest": {
+    "name": "safe-buffer",
+    "version": "5.1.1"
+  },
+  "artifacts": [],
+  "remote": {
+    "resolved": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853",
+    "type": "tarball",
+    "reference": "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz",
+    "hash": "893312af69b2123def71f57889001671eeb2c853",
+    "integrity": "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM=",
+    "registry": "npm",
+    "packageName": "safe-buffer",
+    "cacheIntegrity": "sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg== sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
+  },
+  "registry": "npm",
+  "hash": "893312af69b2123def71f57889001671eeb2c853"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha512-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
new file mode 100644
index 0000000000..c129437073
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "safe-buffer",
+  "version": "5.1.1"
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha512-with-cache/package.json b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/package.json
new file mode 100644
index 0000000000..baea96337e
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "install-update-auth-sha512",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "safe-buffer": "^5.1.1"
+  }
+}
diff --git a/__tests__/fixtures/install/install-update-auth-sha512-with-cache/yarn.lock b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/yarn.lock
new file mode 100644
index 0000000000..ab73b927de
--- /dev/null
+++ b/__tests__/fixtures/install/install-update-auth-sha512-with-cache/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+safe-buffer@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
+  integrity sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg==
diff --git a/__tests__/fixtures/install/invalid-checksum-good-integrity/package.json b/__tests__/fixtures/install/invalid-checksum-good-integrity/package.json
new file mode 100644
index 0000000000..8c928771a0
--- /dev/null
+++ b/__tests__/fixtures/install/invalid-checksum-good-integrity/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "badpkg",
+  "version": "1.0.0",
+  "description": "A bad package",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "UNLICENSED",
+  "dependencies": {
+    "express": "4.11.1"
+  }
+}
diff --git a/__tests__/fixtures/install/invalid-checksum-good-integrity/yarn.lock b/__tests__/fixtures/install/invalid-checksum-good-integrity/yarn.lock
new file mode 100644
index 0000000000..5c2f89fa3b
--- /dev/null
+++ b/__tests__/fixtures/install/invalid-checksum-good-integrity/yarn.lock
@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+express@4.11.1:
+  version "4.11.1"
+  resolved "https://registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz#36d04dd27aa1667634e987529767f9c99de7903f"
+  integrity sha1-5XycPpdtVw+X8ik1bKXW7hPv01g=
diff --git a/__tests__/fixtures/install/workspaces-install-conflict-without-symlink/arrify/package.json b/__tests__/fixtures/install/workspaces-install-conflict-without-symlink/arrify/package.json
new file mode 100644
index 0000000000..6bd08c8c85
--- /dev/null
+++ b/__tests__/fixtures/install/workspaces-install-conflict-without-symlink/arrify/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "arrify",
+  "version": "2.0.0",
+  "dependencies": {
+    "isarray": "2.0.0"
+  }
+}
diff --git a/__tests__/fixtures/install/workspaces-install-conflict-without-symlink/package.json b/__tests__/fixtures/install/workspaces-install-conflict-without-symlink/package.json
new file mode 100644
index 0000000000..01b65e9fa7
--- /dev/null
+++ b/__tests__/fixtures/install/workspaces-install-conflict-without-symlink/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "my-project",
+  "private": true,
+  "dependencies": {
+    "arrify": "1.0.0",
+    "isarray": "1.0.0"
+  },
+  "workspaces": [
+    "arrify"
+  ]
+}
diff --git a/__tests__/fixtures/normalize-manifest/dangerous bin name/actual.json b/__tests__/fixtures/normalize-manifest/dangerous bin name/actual.json
new file mode 100644
index 0000000000..2b429e5e9f
--- /dev/null
+++ b/__tests__/fixtures/normalize-manifest/dangerous bin name/actual.json	
@@ -0,0 +1,13 @@
+{
+  "name": "foo",
+  "version": "",
+  "bin": {
+    ".": "main.js",
+    "..": "main.js",
+    "/tmp/foo": "main.js",
+    "../tmp/foo": "main.js",
+    "tmp/../../foo": "main.js",
+    "build:cli": "main.js",
+    "build.cli": "main.js"
+  }
+}
diff --git a/__tests__/fixtures/normalize-manifest/dangerous bin name/expected.json b/__tests__/fixtures/normalize-manifest/dangerous bin name/expected.json
new file mode 100644
index 0000000000..b7f6cf75df
--- /dev/null
+++ b/__tests__/fixtures/normalize-manifest/dangerous bin name/expected.json	
@@ -0,0 +1,7 @@
+{
+  "name": "foo",
+  "version": "",
+  "bin": {
+    "build.cli": "main.js"
+  }
+}
diff --git a/__tests__/fixtures/normalize-manifest/dangerous bin values/actual.json b/__tests__/fixtures/normalize-manifest/dangerous bin values/actual.json
new file mode 100644
index 0000000000..a8e335abb3
--- /dev/null
+++ b/__tests__/fixtures/normalize-manifest/dangerous bin values/actual.json	
@@ -0,0 +1,9 @@
+{
+    "name": "foo",
+    "version": "",
+    "bin": {
+        "foo": "../../../../../foo",
+        "bar": "/hello/world",
+        "baz": "./foo/bar/../../../../../../foo"
+    }
+}
diff --git a/__tests__/fixtures/normalize-manifest/dangerous bin values/expected.json b/__tests__/fixtures/normalize-manifest/dangerous bin values/expected.json
new file mode 100644
index 0000000000..80ce110c76
--- /dev/null
+++ b/__tests__/fixtures/normalize-manifest/dangerous bin values/expected.json	
@@ -0,0 +1,5 @@
+{
+    "name": "foo",
+    "version": "",
+    "bin": {}
+}
diff --git a/__tests__/fixtures/normalize-manifest/empty bin string/expected.json b/__tests__/fixtures/normalize-manifest/empty bin string/expected.json
index 7c894d5fd8..15a2224ef8 100644
--- a/__tests__/fixtures/normalize-manifest/empty bin string/expected.json	
+++ b/__tests__/fixtures/normalize-manifest/empty bin string/expected.json	
@@ -1,5 +1,4 @@
 {
   "name": "foo",
-  "version": "",
-  "bin": ""
+  "version": ""
 }
diff --git a/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/7f21696fb9d08130dd62abd96c9572f513c05301/package.json.bin b/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/7f21696fb9d08130dd62abd96c9572f513c05301/package.json.bin
new file mode 100644
index 0000000000..11580057f6
--- /dev/null
+++ b/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/7f21696fb9d08130dd62abd96c9572f513c05301/package.json.bin
@@ -0,0 +1,62 @@
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 29 Dec 2019 14:24:54 GMT
+Content-Type: text/plain; charset=utf-8
+Content-Length: 1181
+Cache-Control: max-age=3600, public
+Content-Disposition: inline
+Etag: W/"78309fbf8af4479c47eca65b0c5e3f51"
+Referrer-Policy: strict-origin-when-cross-origin
+Set-Cookie: experimentation_subject_id=IjJjZjk1MWRjLWUzMDgtNDc3ZC05MTlkLTA0MGU5MWFjY2VlOCI%3D--64f51f0ae3455ebf84d41c0a0a6723703e719689; domain=.gitlab.com; path=/; expires=Thu, 29 Dec 2039 14:24:54 -0000; secure; HttpOnly
+X-Content-Type-Options: nosniff
+X-Download-Options: noopen
+X-Frame-Options: DENY
+X-Permitted-Cross-Domain-Policies: none
+X-Request-Id: xcIbPa5i6G2
+X-Runtime: 0.056763
+X-Ua-Compatible: IE=edge
+X-Xss-Protection: 1; mode=block
+Strict-Transport-Security: max-age=31536000
+Referrer-Policy: strict-origin-when-cross-origin
+GitLab-LB: fe-07-lb-gprd
+GitLab-SV: web-28-sv-gprd
+
+{
+  "name": "kanban",
+  "version": "0.0.1",
+  "repository": "gitlab.com/leanlabsio/kanban",
+  "scripts": {
+      "install": "npm install",
+      "build": "grunt build",
+      "watch": "grunt watch"
+  },
+  "devDependencies": {
+    "grunt": "~0.4.1",
+    "grunt-cli": "~0.1.13",
+    "grunt-contrib-copy": "^0.5.0",
+    "grunt-contrib-concat": "~0.5.0",
+    "grunt-contrib-watch": "~0.5.3",
+    "grunt-contrib-uglify": "~0.7.0",
+    "grunt-sass": "1.0.0",
+    "grunt-contrib-connect": "~0.8.0",
+    "grunt-connect-proxy": "~0.1.11"
+  },
+  "dependencies": {
+    "angular": "=1.5.6",
+    "angular-lodash": "https://github.com/EMSSConsulting/angular-lodash.git#68a726c",
+    "foundation-sites": "5.5.2",
+    "angular-foundation": "https://github.com/pineconellc/angular-foundation.git#8f3f260",
+    "angular-loading-bar": "=0.5.2",
+    "angular-storage": "=0.0.6",
+    "angular-ui-router": "=0.3.0",
+    "angularjs-datepicker": "=0.2.15",
+    "font-awesome": "=4.6.3",
+    "markdown-it": "=5.0.2",
+    "markdown-it-emoji": "=1.1.0",
+    "ng-sortable": "=1.3.6",
+    "sass-flex-mixin": "=1.0.3",
+    "lodash": "=4.13.1",
+    "twemoji": "=2.1.0",
+    "angular-file-upload": "=2.3.4"
+  }
+}
diff --git a/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/f139bd887dea8e48c46fd7fcfe42b5ffc53d79dd/package.json.bin b/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/f139bd887dea8e48c46fd7fcfe42b5ffc53d79dd/package.json.bin
new file mode 100644
index 0000000000..e0be38d90e
--- /dev/null
+++ b/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/f139bd887dea8e48c46fd7fcfe42b5ffc53d79dd/package.json.bin
@@ -0,0 +1,56 @@
+HTTP/1.1 200 OK
+Server: nginx
+Date: Wed, 27 Mar 2019 12:51:12 GMT
+Content-Type: text/plain; charset=utf-8
+Content-Length: 1181
+Cache-Control: max-age=3600, public
+Content-Disposition: inline
+Etag: W/"78309fbf8af4479c47eca65b0c5e3f51"
+X-Content-Type-Options: nosniff
+X-Frame-Options: DENY
+X-Request-Id: kTsEGIR9zSa
+X-Runtime: 0.099649
+X-Ua-Compatible: IE=edge
+X-Xss-Protection: 1; mode=block
+Strict-Transport-Security: max-age=31536000
+Content-Security-Policy: object-src 'none'; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://gitlab.com blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; img-src * data: blob:; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://*.codesandbox.io; frame-ancestors 'self'; connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net
+
+{
+  "name": "kanban",
+  "version": "0.0.1",
+  "repository": "gitlab.com/leanlabsio/kanban",
+  "scripts": {
+      "install": "npm install",
+      "build": "grunt build",
+      "watch": "grunt watch"
+  },
+  "devDependencies": {
+    "grunt": "~0.4.1",
+    "grunt-cli": "~0.1.13",
+    "grunt-contrib-copy": "^0.5.0",
+    "grunt-contrib-concat": "~0.5.0",
+    "grunt-contrib-watch": "~0.5.3",
+    "grunt-contrib-uglify": "~0.7.0",
+    "grunt-sass": "1.0.0",
+    "grunt-contrib-connect": "~0.8.0",
+    "grunt-connect-proxy": "~0.1.11"
+  },
+  "dependencies": {
+    "angular": "=1.5.6",
+    "angular-lodash": "https://github.com/EMSSConsulting/angular-lodash.git#68a726c",
+    "foundation-sites": "5.5.2",
+    "angular-foundation": "https://github.com/pineconellc/angular-foundation.git#8f3f260",
+    "angular-loading-bar": "=0.5.2",
+    "angular-storage": "=0.0.6",
+    "angular-ui-router": "=0.3.0",
+    "angularjs-datepicker": "=0.2.15",
+    "font-awesome": "=4.6.3",
+    "markdown-it": "=5.0.2",
+    "markdown-it-emoji": "=1.1.0",
+    "ng-sortable": "=1.3.6",
+    "sass-flex-mixin": "=1.0.3",
+    "lodash": "=4.13.1",
+    "twemoji": "=2.1.0",
+    "angular-file-upload": "=2.3.4"
+  }
+}
diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/arrify/-/arrify-1.0.0.tgz.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/arrify/-/arrify-1.0.0.tgz.bin
new file mode 100644
index 0000000000..2f5b1d63b4
Binary files /dev/null and b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/arrify/-/arrify-1.0.0.tgz.bin differ
diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp.bin
new file mode 100644
index 0000000000..73976105f8
--- /dev/null
+++ b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp.bin
@@ -0,0 +1,18 @@
+HTTP/1.1 200 OK
+Date: Wed, 27 Mar 2019 12:49:49 GMT
+Content-Type: application/vnd.npm.install-v1+json
+Content-Length: 4072
+Connection: keep-alive
+Set-Cookie: __cfduid=d2e7739722b1e2621b032ee7a09984edd1553690988; expires=Thu, 26-Mar-20 12:49:48 GMT; path=/; domain=.registry.yarnpkg.com; HttpOnly
+CF-Cache-Status: REVALIDATED
+Cache-Control: max-age=300
+CF-Ray: 4be17c86d97f56c3-IAD
+Accept-Ranges: bytes
+ETag: "49fffc656197ace1f624570132931c23"
+Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
+Last-Modified: Thu, 01 Nov 2018 01:11:09 GMT
+Vary: accept-encoding, accept
+x-amz-meta-rev: 3-72d30e72712ca5e8a55f6613d7a30236
+Server: cloudflare
+
+{"versions":{"1.0.0":{"name":"is-pnp","version":"1.0.0","bin":{"is-pnp":"./bin.js"},"_hasShrinkwrap":false,"directories":{},"dist":{"shasum":"47d3d7151df242eb7ca4768fc2e7f6228871899a","integrity":"sha512-Lx0Sh5h20HtLz+xnlh4NRhQ6w231tGN4yuU3oBi6vn7oSbiIk2V4sqoIn00bczm9ojwkFPzzFUeSOIKEgYpszA==","tarball":"https://registry.npmjs.org/is-pnp/-/is-pnp-1.0.0.tgz","fileCount":5,"unpackedSize":2268,"npm-signature":"-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJb2lGmCRA9TVsSAnZWagAARHYP/1botUA//2RoqJEP3nHB\nnQ0G1qhSYL685aLgZTWJW9pS3ucPzxxeofbnByOsbSjUqycwsHBqL/DDeYsq\nz3b0dmfcfESK+CSafYECSnj8kPJH5N5VU2UXs+A+wLEM0D0nSe4wfJLVptA0\nrOpeYrkfwX8ZC1EGLGvQM4cMqpk3Ji6RBZHtD0U/ttYR3A0vP5P76oO2/tBl\n3QSK3nJSpU83OkMBPVY3hnDrGkCjJqwvcqWoWUG0/BtHS5KYD99yrxFAzT5f\nMhtqCZiediDcGtrMhP5b0VAkqdrwFPg/tZPpgqYCevR+2ipWhkxhD0Z4yyx1\n2AuJnEoQKRiBiFPIv5aiJZD9Jj00iey4tdQ1NcXnRtAA16Lo0t4MX/OnkyJW\nBfcSd795mVpe4AO9u6bqMDZfkQrBRunxa7OKKCEXUGihm0YNtTWKat5ym1ia\n9H9Bwlgm3GoFAuHQMu07ZEwidLpWoQfjrTUOufw+/rKNSIRoMNuL3Z/8i4Hj\nazYRMgdzb9rkf6+F7LLJKnyZaDY/bS/KIb61LdkfkX8JCcKUfhVAd5KIvI4e\nAwLAUfHwWM2u2smbexFzvgvXnNFmVrcCGBbMcIrQ+JfiJ+izFVJ7YyLY+Fpt\nwxbV0Vug6gyYDyDtjFCdeL2wFmgR3+nASXWFY4CZ+ZoFX+ontSZ4U5b9PTIs\n1ojq\r\n=DAoM\r\n-----END PGP SIGNATURE-----\r\n"},"engines":{"node":">=6"}},"1.0.1":{"name":"is-pnp","version":"1.0.1","bin":{"is-pnp":"./sources/cli.js"},"_hasShrinkwrap":false,"directories":{},"dist":{"shasum":"ec0e4e443287214ce90bcb6fcd112d20de51f120","integrity":"sha512-uwFQ9SabYoNJwZnDqHUs+WTPvegmoLHjVQqkX4+MiKSjhRBRk+n/zKBAex4yvWnzbN352W7FUuYX8L5yEVmiVA==","tarball":"https://registry.npmjs.org/is-pnp/-/is-pnp-1.0.1.tgz","fileCount":5,"unpackedSize":2276,"npm-signature":"-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJb2lJICRA9TVsSAnZWagAAX2IP/jE0+3aAdO7cu9DXNJnb\njoi3rDo8CRfARhWbJRhUj7omDxeP37U3dIIkK69AL8XZSPPUQ8o2uH1AOjZB\niI8cp0IX4bgalRXzEWPj3v8l3z6/BwJoUXy7N5ugdxron+AYj4kS4I1jI6Pa\nUo3z096sc8zAgXFE00RiKwUBGNw+4xpg0yVri/vXpezsahi8r4qZbrc9/hr3\nWzoIK6GwQnGpn5FEhdiuPbB0QiZvalYHn5v2IWtMpQG4ed6jM/vSBAqKqkFv\n95McUD13wz7iJ59BaJHwbypD/WFWz34ZBPZ8QpONk6UAJ2IZwh6J2Wj44k7a\nNtiEj3xo3A5stikfELI//H0AruTI6sSI++EJ8YvHQUj73s6kG0Z/FzPptgKp\nKYLSqXNAC/zHiId1s7uj+jsCLXIm4G2bPQUTsDMfejDS6TfjAVO2COxRF34q\ncLGzYFL1/R+/hO4ckoLl7vz6Vm/zSlMaxZPDUFDy8d0ScxHZOL+760cdIhjT\nr1XGyXAmyjGLWTHvA6sE5X0H0PgghQErsLYXi679KBdnZjN2+Xcmv0pNIqbg\nwS7SBjV+KGpc1PnwtZdfvZcegvY+252zsBvRye9/hcQ0Rdmetbod8XicA3Bw\nuTLC2N9opHeTI7a9bKrACXkSApJftjzYSfnycb27r9bgIAY6BeNhr7JFEMKV\nnxUD\r\n=8Blc\r\n-----END PGP SIGNATURE-----\r\n"},"engines":{"node":">=6"}},"1.0.2":{"name":"is-pnp","version":"1.0.2","bin":{"is-pnp":"./sources/cli.js"},"_hasShrinkwrap":false,"directories":{},"dist":{"shasum":"cbe5d6ad751897822fd92539ac5cfa37c04f3852","integrity":"sha512-BzoewUq0EZFJYKlYpObv2xRdTRJQXwMLbk2Y5l8Dhl0EQGPhdPrSdBlQaAT46gIKjAkNBNScDiUDbuBCTDNCsQ==","tarball":"https://registry.npmjs.org/is-pnp/-/is-pnp-1.0.2.tgz","fileCount":5,"unpackedSize":2282,"npm-signature":"-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJb2lKpCRA9TVsSAnZWagAAkFcP+QHfioEIu01ww57y/Jnw\neOtM4JPvx0hDMKxMBKSyvVHmjZKwqxvkAnqdyybHts7i6auvuuMKDO43oaRO\n5GY5i/u29arwBKnPgeVrC6TUnbVxiSP4KBtfzRs3YCXbQ0MfSPmXiH4nzzi/\ngWeNGutgCAbefJjB0eahVCUgO7DL+sM8kEt2iNSDM1gKUDSVq5yvsZD20tX+\n/60eLG4xtz/2zXDKjoqo+DZtvW9kdLJ6TlvbDU1mt1OBSzkTiakIe1XXymVT\n+gRC0QGKGMP+YJG+VothHez/JAagl/92c/JDsb54HkW/OkUKCHFyUAw0P3h1\n46p0vEr54rHa7wT6O0fKg7q+MN1mMOKR3wO258LQW20n+DQJK1hxcJOkk+xf\n6iOa2d6Ywox9yT9B/V555BEZ2fYbnNb4gw+oo3/YyJcZ1Ooadt5kvEyDb67+\ntOaOMBXZh7/FR8EghwBBqlOndWCD4OQYVXVCwIdf/PFyUtB1+Obd4/1H+Dkw\nmg01pi7jYHG8mKLIMNdjggWi966nJ3fZqBDLW0eRtFzCbe+8VSOPKGRSHHnI\n99SD9oY/dgmimcakZ3hInuGlMGf0UrSLjHwi24y0ae1O0AlnQz0bXU0qHAH2\nH/Npr3zjOcAULwvHqtu2l1mNv/PX8GtafyybiMaXBcERearcUN/48tbvcbFX\nZmBP\r\n=z5fE\r\n-----END PGP SIGNATURE-----\r\n"},"engines":{"node":">=6"}}},"name":"is-pnp","dist-tags":{"latest":"1.0.2"},"modified":"2018-11-01T01:11:07.975Z"}
\ No newline at end of file
diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp/-/is-pnp-1.0.2.tgz.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp/-/is-pnp-1.0.2.tgz.bin
new file mode 100644
index 0000000000..980bdfcbec
Binary files /dev/null and b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp/-/is-pnp-1.0.2.tgz.bin differ
diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/isarray/-/isarray-2.0.0.tgz.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/isarray/-/isarray-2.0.0.tgz.bin
new file mode 100644
index 0000000000..55b2d8eec0
Binary files /dev/null and b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/isarray/-/isarray-2.0.0.tgz.bin differ
diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz.bin
new file mode 100644
index 0000000000..4c3db35535
Binary files /dev/null and b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz.bin differ
diff --git a/__tests__/fixtures/run/nohoist-workspace/package.json b/__tests__/fixtures/run/nohoist-workspace/package.json
new file mode 100644
index 0000000000..c4ac3364a3
--- /dev/null
+++ b/__tests__/fixtures/run/nohoist-workspace/package.json
@@ -0,0 +1,5 @@
+{
+  "workspaces": [
+    "packages/*"
+  ]
+}
diff --git a/__tests__/fixtures/run/workspace/packages/pkg1/node_modules/.bin/cat-names b/__tests__/fixtures/run/nohoist-workspace/packages/pkg1/node_modules/.bin/cat-names
similarity index 100%
rename from __tests__/fixtures/run/workspace/packages/pkg1/node_modules/.bin/cat-names
rename to __tests__/fixtures/run/nohoist-workspace/packages/pkg1/node_modules/.bin/cat-names
diff --git a/__tests__/fixtures/run/nohoist-workspace/packages/pkg1/package.json b/__tests__/fixtures/run/nohoist-workspace/packages/pkg1/package.json
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/__tests__/fixtures/run/nohoist-workspace/packages/pkg1/package.json
@@ -0,0 +1 @@
+{}
diff --git a/__tests__/fixtures/version/no-args-no-git-tags/.yarnrc b/__tests__/fixtures/version/no-args-no-git-tags/.yarnrc
new file mode 100644
index 0000000000..5cb9a09b64
--- /dev/null
+++ b/__tests__/fixtures/version/no-args-no-git-tags/.yarnrc
@@ -0,0 +1 @@
+version-git-tag false
diff --git a/__tests__/fixtures/version/no-args-no-git-tags/package.json b/__tests__/fixtures/version/no-args-no-git-tags/package.json
new file mode 100644
index 0000000000..c8c699e438
--- /dev/null
+++ b/__tests__/fixtures/version/no-args-no-git-tags/package.json
@@ -0,0 +1,9 @@
+{
+  "version": "1.0.0",
+  "license": "BSD-2-Clause",
+  "scripts": {
+    "preversion": "echo preversion",
+    "version": "echo version",
+    "postversion": "echo postversion"
+  }
+}
diff --git a/__tests__/index.js b/__tests__/index.js
index 80345e9569..425e8acb76 100644
--- a/__tests__/index.js
+++ b/__tests__/index.js
@@ -49,9 +49,9 @@ async function execCommand(
         cwd: workingDir,
         env: cleanedEnv,
       },
-      (error, stdout) => {
+      (error, stdout, stderr) => {
         if (error) {
-          reject(Object.assign((new Error(error.message): any), {stdout}));
+          reject(Object.assign((new Error(error.message): any), {stdout, stderr}));
         } else {
           const stdoutLines = stdout
             .toString()
@@ -171,6 +171,15 @@ test.concurrent('should run custom script without run command', async () => {
   expectRunOutput(stdout);
 });
 
+test.concurrent('should run without extra output for failing sub commands', async () => {
+  try {
+    await execCommand('run', ['--silent', 'custom-script'], 'run-failing-script');
+    throw new Error('the command did not fail');
+  } catch (err) {
+    expect(err.stderr).toBe('');
+  }
+});
+
 test.concurrent('should run help command', async () => {
   const stdout = await execCommand('help', [], 'run-help');
   expectHelpOutput(stdout);
@@ -291,6 +300,10 @@ test.concurrent('should throws missing command for unknown command', async () =>
   await expectAnErrorMessage(execCommand('unknown', [], 'run-add', true), 'Command "unknown" not found');
 });
 
+test.concurrent('should suggest options for other commands when missing a command', async () => {
+  await expectAnErrorMessage(execCommand('foobarx', [], 'run-suggestion', true), 'Did you mean "foobar"?');
+});
+
 test.concurrent('should not display documentation link for unknown command', async () => {
   await expectAnInfoMessageAfterError(execCommand('unknown', [], 'run-add', true), '');
 });
@@ -342,6 +355,39 @@ test.concurrent('should run help for camelised command', async () => {
 // but actual flags on the command line are passed.
 test.concurrent('should not pass yarnrc flags to workspace command', async () => {
   const stdout = await execCommand('workspace', ['workspace-1', 'run', 'check', '--x'], 'run-workspace', true);
-  const params = stdout.find(x => x && x.indexOf('--x') >= 0);
+  const params = stdout.find(x => x && x.indexOf('ARGS:') === 0);
   expect(params).not.toMatch(/emoji/);
 });
+
+// regression test for #7776
+test.concurrent('should pass args to workspace command without need for "--"', async () => {
+  const stdout = await execCommand('workspace', ['workspace-1', 'run', 'check', '--x', 'y'], 'run-workspace', true);
+  const params = stdout.find(x => x && x.indexOf('ARGS:') === 0);
+  expect(params).toEqual('ARGS: --x y');
+});
+
+// regression test for #7776
+test.concurrent('should pass args after "--" to workspace command', async () => {
+  const stdout = await execCommand(
+    'workspace',
+    ['workspace-1', 'run', 'check', '--', 'x', '-y'],
+    'run-workspace',
+    true,
+  );
+  const params = stdout.find(x => x && x.indexOf('ARGS:') === 0);
+  expect(params).toEqual('ARGS: x -y');
+});
+
+// regression test for #7776
+test.concurrent('should pass args to workspaces command without need for "--"', async () => {
+  const stdout = await execCommand('workspaces', ['run', 'check', '--x', 'y'], 'run-workspace', true);
+  const params = stdout.find(x => x && x.indexOf('ARGS:') === 0);
+  expect(params).toEqual('ARGS: --x y');
+});
+
+// regression test for #7776
+test.concurrent('should pass args after "--" to workspaces command', async () => {
+  const stdout = await execCommand('workspaces', ['run', 'check', '--', 'x', '-y'], 'run-workspace', true);
+  const params = stdout.find(x => x && x.indexOf('ARGS:') === 0);
+  expect(params).toEqual('ARGS: x -y');
+});
diff --git a/__tests__/integration.js b/__tests__/integration.js
index 4a57493ba1..eda727e896 100644
--- a/__tests__/integration.js
+++ b/__tests__/integration.js
@@ -83,6 +83,7 @@ const getRandomPort = () => Math.floor(Math.random() * PORT_RANGE) + MIN_PORT_NU
 async function runYarn(args: Array<string> = [], options: Object = {}): Promise<Array<Buffer>> {
   if (!options['env']) {
     options['env'] = {...process.env};
+    options['env']['YARN_SILENT'] = 0;
     options['extendEnv'] = false;
   }
   options['env']['FORCE_COLOR'] = 0;
@@ -559,3 +560,36 @@ test('yarn init -y', async () => {
   const manifestFile = await fs.readFile(path.join(cwd, 'package.json'));
   expect(manifestFile).toEqual(initialManifestFile);
 });
+
+test('--modules-folder option', async () => {
+  /**
+   * The behavior of --modules-folder (and other folder options) was that it resolved relative not to the current
+   * working directory, but instead to the closest project root (folder containing a package.json file).
+   *
+   * This behavior was at best surprising and could result in data loss. This test captures a scenario in which
+   * there would previously have been data loss, demonstrating the fix for --modules-folder and other folder options.
+   *
+   */
+  const projectFolder = await makeTemp();
+  const libraryFolder = path.join(projectFolder, 'lib');
+
+  const initialManifestFile = JSON.stringify({name: 'test', license: 'ISC', version: '1.0.0'});
+  const importantData = 'I definitely care about this file!';
+
+  await fs.writeFile(`${projectFolder}/package.json`, initialManifestFile);
+  await fs.writeFile(`${projectFolder}/IMPORTANT_FILE.txt`, importantData);
+  await fs.mkdirp(libraryFolder);
+
+  const options = {cwd: libraryFolder};
+
+  // This yarn command fails with the previous behavior, the rest of the test is defense in depth
+  await runYarn(['add', 'left-pad', '--modules-folder', '.'], options);
+
+  // Dependencies should have been installed in the 'lib' folder
+  const libraryFolderContents = await fs.readdir(`${libraryFolder}`);
+  expect(libraryFolderContents).toContain('left-pad');
+
+  // Additionally, there should have not been any data loss in the project folder
+  const importantFile = await fs.readFile(`${projectFolder}/IMPORTANT_FILE.txt`);
+  expect(importantFile).toBe(importantData);
+});
diff --git a/__tests__/package-resolver.js b/__tests__/package-resolver.js
index 269c1b614d..3c0ff6c485 100644
--- a/__tests__/package-resolver.js
+++ b/__tests__/package-resolver.js
@@ -14,7 +14,7 @@ jasmine.DEFAULT_TIMEOUT_INTERVAL = 90000;
 const path = require('path');
 
 // regexp which verifies that the cache path contains a path component ending with semver + hash
-const cachePathRe = /-\d+\.\d+\.\d+-[\dabcdef]{40}[\\\/]/;
+const cachePathRe = /-\d+\.\d+\.\d+-[\dabcdef]{40}(?:-integrity)?[\\\/]/;
 
 async function createEnv(configOptions): Object {
   const lockfile = new Lockfile();
diff --git a/__tests__/registries/npm-registry.js b/__tests__/registries/npm-registry.js
index b5177b7719..54ade142a0 100644
--- a/__tests__/registries/npm-registry.js
+++ b/__tests__/registries/npm-registry.js
@@ -781,6 +781,30 @@ describe('getRequestUrl functional test', () => {
 
     expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual('https://my.registry.co/registry/foo/bar/baz');
   });
+
+  for (const host of [`registry.yarnpkg.com`, `registry.npmjs.org`, `registry.npmjs.com`]) {
+    test(`enforces loading packages through https when they come from ${host}`, () => {
+      const testCwd = '.';
+      const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
+      const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
+      const registry = `http://${host}/registry`;
+      const pathname = 'foo/bar/baz';
+
+      expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(`https://${host}/registry/foo/bar/baz`);
+    });
+  }
+
+  test("doesn't change the protocol for packages from other registries", () => {
+    const testCwd = '.';
+    const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
+    const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
+    const registry = 'http://registry.mylittlepony.org/registry';
+    const pathname = 'foo/bar/baz';
+
+    expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(
+      'http://registry.mylittlepony.org/registry/foo/bar/baz',
+    );
+  });
 });
 
 describe('getScope functional test', () => {
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index c625c8a030..01d9333f35 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -8,10 +8,15 @@ jobs:
 
   strategy:
     matrix:
-      node_8_x:
-        node_version: 8.x
+# Azure is currently timeouting a lot on Win / Node 8
+#      node_8_x:
+#        node_version: 8.x
       node_10_x:
         node_version: 10.x
+      node_12_x:
+        node_version: 12.x
+      node_13_x:
+        node_version: 13.x
 
   steps:
   - template: scripts/azure-run-tests.yml
@@ -29,6 +34,10 @@ jobs:
         node_version: 8.x
       node_10_x:
         node_version: 10.x
+      node_12_x:
+        node_version: 12.x
+      node_13_x:
+        node_version: 13.x
 
   steps:
   - template: scripts/azure-run-tests.yml
@@ -46,6 +55,10 @@ jobs:
         node_version: 8.x
       node_10_x:
         node_version: 10.x
+      node_12_x:
+        node_version: 12.x
+      node_13_x:
+        node_version: 13.x
 
   steps:
-  - template: scripts/azure-run-tests.yml
\ No newline at end of file
+  - template: scripts/azure-run-tests.yml
diff --git a/package.json b/package.json
index c88e3f7102..0d43423675 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "yarn",
   "installationMethod": "unknown",
-  "version": "1.18.0-0",
+  "version": "1.22.0",
   "license": "BSD-2-Clause",
   "preferGlobal": true,
   "description": "📦🐈 Fast, reliable, and secure dependency management.",
diff --git a/src/cli/commands/create.js b/src/cli/commands/create.js
index cdbcc0ad8c..49b81ac5f7 100644
--- a/src/cli/commands/create.js
+++ b/src/cli/commands/create.js
@@ -5,6 +5,7 @@ import {MessageError} from '../../errors.js';
 import type {Reporter} from '../../reporters/index.js';
 import * as child from '../../util/child.js';
 import {makeEnv} from '../../util/execute-lifecycle-script';
+import * as fs from '../../util/fs.js';
 import {run as runGlobal, getBinFolder} from './global.js';
 
 const path = require('path');
@@ -58,7 +59,13 @@ export async function run(config: Config, reporter: Reporter, flags: Object, arg
   }
 
   const {fullName: packageName, name: commandName} = coerceCreatePackageName(builderName);
-  await runGlobal(config, reporter, {}, ['add', packageName]);
+
+  const linkLoc = path.join(config.linkFolder, commandName);
+  if (await fs.exists(linkLoc)) {
+    reporter.info(reporter.lang('linkUsing', packageName));
+  } else {
+    await runGlobal(config, reporter, {}, ['add', packageName]);
+  }
 
   const binFolder = await getBinFolder(config, {});
   const command = path.resolve(binFolder, commandName);
diff --git a/src/cli/commands/init.js b/src/cli/commands/init.js
index 4a52bcc97b..0576ba0942 100644
--- a/src/cli/commands/init.js
+++ b/src/cli/commands/init.js
@@ -8,6 +8,7 @@ import GitHubResolver from '../../resolvers/exotics/github-resolver.js';
 import * as child from '../../util/child.js';
 import * as fs from '../../util/fs.js';
 import * as validate from '../../util/normalize-manifest/validate.js';
+import {NODE_BIN_PATH} from '../../constants';
 
 const objectPath = require('object-path');
 const path = require('path');
@@ -17,6 +18,8 @@ export function setFlags(commander: Object) {
   commander.description('Interactively creates or updates a package.json file.');
   commander.option('-y, --yes', 'use default options');
   commander.option('-p, --private', 'use default options and private true');
+  commander.option('-i, --install <value>', 'install a specific Yarn release');
+  commander.option('-2', 'generates the project using Yarn 2');
 }
 
 export function hasWrapper(commander: Object, args: Array<string>): boolean {
@@ -26,6 +29,28 @@ export function hasWrapper(commander: Object, args: Array<string>): boolean {
 export const shouldRunInCurrentCwd = true;
 
 export async function run(config: Config, reporter: Reporter, flags: Object, args: Array<string>): Promise<void> {
+  const installVersion = flags[`2`] ? `berry` : flags.install;
+
+  if (installVersion) {
+    const lockfilePath = path.resolve(config.cwd, 'yarn.lock');
+    if (!await fs.exists(lockfilePath)) {
+      await fs.writeFile(lockfilePath, '');
+    }
+    await child.spawn(NODE_BIN_PATH, [process.argv[1], 'policies', 'set-version', installVersion], {
+      stdio: 'inherit',
+      cwd: config.cwd,
+    });
+    await child.spawn(
+      NODE_BIN_PATH,
+      [process.argv[1], 'init', ...(flags.yes ? ['-y'] : []), ...(flags.private ? ['-p'] : [])],
+      {
+        stdio: 'inherit',
+        cwd: config.cwd,
+      },
+    );
+    return;
+  }
+
   const manifests = await config.getRootManifests();
 
   let repository = {};
diff --git a/src/cli/commands/install.js b/src/cli/commands/install.js
index af3f64f56a..bbe044fc35 100644
--- a/src/cli/commands/install.js
+++ b/src/cli/commands/install.js
@@ -560,6 +560,11 @@ export class Install {
       this.reporter.warn(this.reporter.lang('npmLockfileWarning'));
     }
 
+    if (this.config.plugnplayEnabled) {
+      this.reporter.info(this.reporter.lang('plugnplaySuggestV2L1'));
+      this.reporter.info(this.reporter.lang('plugnplaySuggestV2L2'));
+    }
+
     let flattenedTopLevelPatterns: Array<string> = [];
     const steps: Array<(curr: number, total: number) => Promise<{bailout: boolean} | void>> = [];
     const {
diff --git a/src/cli/commands/list.js b/src/cli/commands/list.js
index b9b5a8a0ef..b64936e7e7 100644
--- a/src/cli/commands/list.js
+++ b/src/cli/commands/list.js
@@ -152,7 +152,7 @@ export async function buildTree(
 }
 
 export function getParent(key: string, treesByKey: Object): Object {
-  const parentKey = key.split('#').slice(0, -1).join('#');
+  const parentKey = key.slice(0, key.lastIndexOf('#'));
   return treesByKey[parentKey];
 }
 
diff --git a/src/cli/commands/login.js b/src/cli/commands/login.js
index dd55cd1a67..1c0e2dbf60 100644
--- a/src/cli/commands/login.js
+++ b/src/cli/commands/login.js
@@ -120,6 +120,7 @@ export async function getToken(
       reporter.success(reporter.lang('revokedToken'));
       await config.registries.npm.request(`-/user/token/${token}`, {
         method: 'DELETE',
+        registry,
       });
     };
   } else {
diff --git a/src/cli/commands/policies.js b/src/cli/commands/policies.js
index 298bafba3f..037121caf2 100644
--- a/src/cli/commands/policies.js
+++ b/src/cli/commands/policies.js
@@ -3,7 +3,7 @@
 import type {Reporter} from '../../reporters/index.js';
 import type Config from '../../config.js';
 import buildSubCommands from './_build-sub-commands.js';
-import {getRcConfigForCwd} from '../../rc.js';
+import {getRcConfigForFolder} from '../../rc.js';
 import * as fs from '../../util/fs.js';
 import {stringify} from '../../lockfile';
 
@@ -114,6 +114,7 @@ const {run, setFlags, examples} = buildSubCommands('policies', {
 
     let bundleUrl;
     let bundleVersion;
+    let isV2 = false;
 
     if (range === 'nightly' || range === 'nightlies') {
       bundleUrl = 'https://nightly.yarnpkg.com/latest.js';
@@ -121,10 +122,18 @@ const {run, setFlags, examples} = buildSubCommands('policies', {
     } else if (range === 'berry' || range === 'v2' || range === '2') {
       bundleUrl = 'https://github.com/yarnpkg/berry/raw/master/packages/berry-cli/bin/berry.js';
       bundleVersion = 'berry';
+      isV2 = true;
     } else {
-      const releases = await fetchReleases(config, {
-        includePrereleases: allowRc,
-      });
+      let releases = [];
+
+      try {
+        releases = await fetchReleases(config, {
+          includePrereleases: allowRc,
+        });
+      } catch (e) {
+        reporter.error(e.message);
+        return;
+      }
 
       const release = releases.find(release => {
         // $FlowFixMe
@@ -145,7 +154,6 @@ const {run, setFlags, examples} = buildSubCommands('policies', {
     reporter.log(`Downloading ${chalk.green(bundleUrl)}...`);
 
     const bundle = await fetchBundle(config, bundleUrl);
-    const rc = getRcConfigForCwd(config.lockfileFolder, []);
 
     const yarnPath = path.resolve(config.lockfileFolder, `.yarn/releases/yarn-${bundleVersion}.js`);
     reporter.log(`Saving it into ${chalk.magenta(yarnPath)}...`);
@@ -153,10 +161,22 @@ const {run, setFlags, examples} = buildSubCommands('policies', {
     await fs.writeFile(yarnPath, bundle);
     await fs.chmod(yarnPath, 0o755);
 
-    const rcPath = `${config.lockfileFolder}/.yarnrc`;
-    reporter.log(`Updating ${chalk.magenta(rcPath)}...`);
-    rc['yarn-path'] = path.relative(config.lockfileFolder, yarnPath);
-    await fs.writeFilePreservingEol(rcPath, `${stringify(rc)}\n`);
+    const targetPath = path.relative(config.lockfileFolder, yarnPath).replace(/\\/g, '/');
+
+    if (isV2) {
+      const rcPath = `${config.lockfileFolder}/.yarnrc.yml`;
+      reporter.log(`Updating ${chalk.magenta(rcPath)}...`);
+
+      await fs.writeFilePreservingEol(rcPath, `yarnPath: ${JSON.stringify(yarnPath)}\n`);
+    } else {
+      const rcPath = `${config.lockfileFolder}/.yarnrc`;
+      reporter.log(`Updating ${chalk.magenta(rcPath)}...`);
+
+      const rc = getRcConfigForFolder(config.lockfileFolder);
+      rc['yarn-path'] = targetPath;
+
+      await fs.writeFilePreservingEol(rcPath, `${stringify(rc)}\n`);
+    }
 
     reporter.log(`Done!`);
   },
diff --git a/src/cli/commands/run.js b/src/cli/commands/run.js
index 47451f5c6b..f0dfbf455d 100644
--- a/src/cli/commands/run.js
+++ b/src/cli/commands/run.js
@@ -4,6 +4,7 @@ import type {Reporter} from '../../reporters/index.js';
 import type Config from '../../config.js';
 import {execCommand, makeEnv} from '../../util/execute-lifecycle-script.js';
 import {dynamicRequire} from '../../util/dynamic-require.js';
+import {callThroughHook} from '../../util/hooks.js';
 import {MessageError} from '../../errors.js';
 import {checkOne as checkCompatibility} from '../../package-compatibility.js';
 import * as fs from '../../util/fs.js';
@@ -30,6 +31,7 @@ export async function getBinEntries(config: Config): Promise<Map<string, string>
 
   // Setup the node_modules/.bin folders for analysis
   for (const registryFolder of config.registryFolders) {
+    binFolders.add(path.resolve(config.cwd, registryFolder, '.bin'));
     binFolders.add(path.resolve(config.lockfileFolder, registryFolder, '.bin'));
   }
 
@@ -91,9 +93,11 @@ export async function run(config: Config, reporter: Reporter, flags: Object, arg
     }
   }
 
-  async function runCommand(args): Promise<void> {
-    const action = args.shift();
+  function runCommand([action, ...args]): Promise<void> {
+    return callThroughHook('runScript', () => realRunCommand(action, args), {action, args});
+  }
 
+  async function realRunCommand(action, args): Promise<void> {
     // build up list of commands
     const cmds = [];
 
@@ -145,7 +149,7 @@ export async function run(config: Config, reporter: Reporter, flags: Object, arg
     } else {
       let suggestion;
 
-      for (const commandName in scripts) {
+      for (const commandName of scripts.keys()) {
         const steps = leven(commandName, action);
         if (steps < 2) {
           suggestion = commandName;
diff --git a/src/cli/commands/version.js b/src/cli/commands/version.js
index eb77c696de..f7ade77bf7 100644
--- a/src/cli/commands/version.js
+++ b/src/cli/commands/version.js
@@ -170,44 +170,41 @@ export async function setVersion(
 
   await runLifecycle('version');
 
-  // check if committing the new version to git is overriden
-  if (!flags.gitTagVersion || !config.getOption('version-git-tag')) {
-    // Don't tag the version in Git
-    return () => Promise.resolve();
-  }
-
   return async function(): Promise<void> {
     invariant(newVersion, 'expected version');
 
-    // add git commit and tag
-    let isGit = false;
-    const parts = config.cwd.split(path.sep);
-    while (parts.length) {
-      isGit = await fs.exists(path.join(parts.join(path.sep), '.git'));
-      if (isGit) {
-        break;
-      } else {
-        parts.pop();
+    // check if a new git tag should be created
+    if (flags.gitTagVersion && config.getOption('version-git-tag')) {
+      // add git commit and tag
+      let isGit = false;
+      const parts = config.cwd.split(path.sep);
+      while (parts.length) {
+        isGit = await fs.exists(path.join(parts.join(path.sep), '.git'));
+        if (isGit) {
+          break;
+        } else {
+          parts.pop();
+        }
       }
-    }
 
-    if (isGit) {
-      const message = (flags.message || String(config.getOption('version-git-message'))).replace(/%s/g, newVersion);
-      const sign: boolean = Boolean(config.getOption('version-sign-git-tag'));
-      const flag = sign ? '-sm' : '-am';
-      const prefix: string = String(config.getOption('version-tag-prefix'));
-      const args: Array<string> = ['commit', '-m', message, ...(isCommitHooksDisabled() ? ['-n'] : [])];
+      if (isGit) {
+        const message = (flags.message || String(config.getOption('version-git-message'))).replace(/%s/g, newVersion);
+        const sign: boolean = Boolean(config.getOption('version-sign-git-tag'));
+        const flag = sign ? '-sm' : '-am';
+        const prefix: string = String(config.getOption('version-tag-prefix'));
+        const args: Array<string> = ['commit', '-m', message, ...(isCommitHooksDisabled() ? ['-n'] : [])];
 
-      const gitRoot = (await spawnGit(['rev-parse', '--show-toplevel'], {cwd: config.cwd})).trim();
+        const gitRoot = (await spawnGit(['rev-parse', '--show-toplevel'], {cwd: config.cwd})).trim();
 
-      // add manifest
-      await spawnGit(['add', path.relative(gitRoot, pkgLoc)], {cwd: gitRoot});
+        // add manifest
+        await spawnGit(['add', path.relative(gitRoot, pkgLoc)], {cwd: gitRoot});
 
-      // create git commit
-      await spawnGit(args, {cwd: gitRoot});
+        // create git commit
+        await spawnGit(args, {cwd: gitRoot});
 
-      // create git tag
-      await spawnGit(['tag', `${prefix}${newVersion}`, flag, message], {cwd: gitRoot});
+        // create git tag
+        await spawnGit(['tag', `${prefix}${newVersion}`, flag, message], {cwd: gitRoot});
+      }
     }
 
     await runLifecycle('postversion');
diff --git a/src/cli/commands/workspace.js b/src/cli/commands/workspace.js
index f6708cd8d5..4be65c6ed1 100644
--- a/src/cli/commands/workspace.js
+++ b/src/cli/commands/workspace.js
@@ -21,11 +21,11 @@ export async function run(config: Config, reporter: Reporter, flags: Object, arg
     throw new MessageError(reporter.lang('workspaceRootNotFound', config.cwd));
   }
 
-  if (flags.originalArgs < 1) {
+  if (args.length < 1) {
     throw new MessageError(reporter.lang('workspaceMissingWorkspace'));
   }
 
-  if (flags.originalArgs < 2) {
+  if (args.length < 2) {
     throw new MessageError(reporter.lang('workspaceMissingCommand'));
   }
 
@@ -33,7 +33,7 @@ export async function run(config: Config, reporter: Reporter, flags: Object, arg
   invariant(manifest && manifest.workspaces, 'We must find a manifest with a "workspaces" property');
 
   const workspaces = await config.resolveWorkspaces(workspaceRootFolder, manifest);
-  const [workspaceName, ...rest] = flags.originalArgs || [];
+  const [workspaceName, ...rest] = args || [];
 
   if (!Object.prototype.hasOwnProperty.call(workspaces, workspaceName)) {
     throw new MessageError(reporter.lang('workspaceUnknownWorkspace', workspaceName));
diff --git a/src/cli/commands/workspaces.js b/src/cli/commands/workspaces.js
index 616cffe041..e95e45f180 100644
--- a/src/cli/commands/workspaces.js
+++ b/src/cli/commands/workspaces.js
@@ -10,6 +10,7 @@ import {NODE_BIN_PATH, YARN_BIN_PATH} from '../../constants';
 
 const invariant = require('invariant');
 const path = require('path');
+const os = require('os');
 const semver = require('semver');
 
 export function hasWrapper(commander: Object, args: Array<string>): boolean {
@@ -75,12 +76,10 @@ export async function runScript(config: Config, reporter: Reporter, flags: Objec
   const workspaces = await config.resolveWorkspaces(workspaceRootFolder, manifest);
 
   try {
-    const [_, ...rest] = flags.originalArgs || [];
-
     for (const workspaceName of Object.keys(workspaces)) {
       const {loc} = workspaces[workspaceName];
-
-      await child.spawn(NODE_BIN_PATH, [YARN_BIN_PATH, ...rest], {
+      reporter.log(`${os.EOL}> ${workspaceName}`);
+      await child.spawn(NODE_BIN_PATH, [YARN_BIN_PATH, 'run', ...args], {
         stdio: 'inherit',
         cwd: loc,
       });
diff --git a/src/cli/index.js b/src/cli/index.js
index ad3b7961f8..5a66fc03a4 100644
--- a/src/cli/index.js
+++ b/src/cli/index.js
@@ -187,7 +187,11 @@ export async function main({
     commandName = 'install';
     isKnownCommand = true;
   }
-
+  if (commandName === ('set': string) && args[0] === 'version') {
+    commandName = ('policies': string);
+    args.splice(0, 1, 'set-version');
+    isKnownCommand = true;
+  }
   if (!isKnownCommand) {
     // if command is not recognized, then set default to `run`
     args.unshift(commandName);
@@ -198,15 +202,20 @@ export async function main({
   let warnAboutRunDashDash = false;
   // we are using "yarn <script> -abc", "yarn run <script> -abc", or "yarn node -abc", we want -abc
   // to be script options, not yarn options
-  const PROXY_COMMANDS = new Set([`run`, `create`, `node`]);
-  if (PROXY_COMMANDS.has(commandName)) {
+
+  // PROXY_COMMANDS is a map of command name to the number of preservedArgs
+  const PROXY_COMMANDS = {
+    run: 1, // yarn run {command}
+    create: 1, // yarn create {project}
+    node: 0, // yarn node
+    workspaces: 1, // yarn workspaces {command}
+    workspace: 2, // yarn workspace {package} {command}
+  };
+  if (PROXY_COMMANDS.hasOwnProperty(commandName)) {
     if (endArgs.length === 0) {
-      let preservedArgs = 0;
-      // the "run" and "create" command take one argument that we want to parse as usual (the
-      // script/package name), hence the splice(1)
-      if (command === commands.run || command === commands.create) {
-        preservedArgs += 1;
-      }
+      // $FlowFixMe doesn't like that PROXY_COMMANDS doesn't have keys for all commands.
+      let preservedArgs = PROXY_COMMANDS[commandName];
+
       // If the --into option immediately follows the command (or the script name in the "run/create"
       // case), we parse them as regular options so that we can cd into them
       if (args[preservedArgs] === `--into`) {
@@ -218,7 +227,6 @@ export async function main({
     }
   }
 
-  commander.originalArgs = args;
   args = [...preCommandArgs, ...args];
 
   command.setFlags(commander);
@@ -509,21 +517,26 @@ export async function main({
 
   const cwd = command.shouldRunInCurrentCwd ? commander.cwd : findProjectRoot(commander.cwd);
 
+  const folderOptionKeys = ['linkFolder', 'globalFolder', 'preferredCacheFolder', 'cacheFolder', 'modulesFolder'];
+
+  // Resolve all folder options relative to cwd
+  const resolvedFolderOptions = {};
+  folderOptionKeys.forEach(folderOptionKey => {
+    const folderOption = commander[folderOptionKey];
+    const resolvedFolderOption = folderOption ? path.resolve(commander.cwd, folderOption) : folderOption;
+    resolvedFolderOptions[folderOptionKey] = resolvedFolderOption;
+  });
+
   await config
     .init({
       cwd,
       commandName,
-
+      ...resolvedFolderOptions,
       enablePnp: commander.pnp,
       disablePnp: commander.disablePnp,
       enableDefaultRc: commander.defaultRc,
       extraneousYarnrcFiles: commander.useYarnrc,
       binLinks: commander.binLinks,
-      modulesFolder: commander.modulesFolder,
-      linkFolder: commander.linkFolder,
-      globalFolder: commander.globalFolder,
-      preferredCacheFolder: commander.preferredCacheFolder,
-      cacheFolder: commander.cacheFolder,
       preferOffline: commander.preferOffline,
       captureHar: commander.har,
       ignorePlatform: commander.ignorePlatform,
@@ -585,6 +598,10 @@ export async function main({
     .catch((err: Error) => {
       reporter.verbose(err.stack);
 
+      if (err instanceof ProcessTermError && reporter.isSilent) {
+        return exit(err.EXIT_CODE || 1);
+      }
+
       if (err instanceof MessageError) {
         reporter.error(err.message);
       } else {
@@ -613,7 +630,11 @@ async function start(): Promise<void> {
     let exitCode = 0;
 
     try {
-      exitCode = await spawnp(yarnPath, argv, opts);
+      if (yarnPath.endsWith(`.js`)) {
+        exitCode = await spawnp(process.execPath, [yarnPath, ...argv], opts);
+      } else {
+        exitCode = await spawnp(yarnPath, argv, opts);
+      }
     } catch (firstError) {
       try {
         exitCode = await forkp(yarnPath, argv, opts);
diff --git a/src/config.js b/src/config.js
index 2fdf5ff162..caf3d247af 100644
--- a/src/config.js
+++ b/src/config.js
@@ -17,6 +17,7 @@ import {registries, registryNames} from './registries/index.js';
 import {NoopReporter} from './reporters/index.js';
 import map from './util/map.js';
 
+const crypto = require('crypto');
 const detectIndent = require('detect-indent');
 const invariant = require('invariant');
 const path = require('path');
@@ -520,6 +521,10 @@ export default class Config {
       slug += `-${hash}`;
     }
 
+    if (pkg.remote.integrity) {
+      slug += `-integrity`;
+    }
+
     return slug;
   }
 
diff --git a/src/constants.js b/src/constants.js
index cb4f587288..863033a701 100644
--- a/src/constants.js
+++ b/src/constants.js
@@ -28,7 +28,7 @@ export const YARN_INSTALLER_MSI = 'https://yarnpkg.com/latest.msi';
 export const SELF_UPDATE_VERSION_URL = 'https://yarnpkg.com/latest-version';
 
 // cache version, bump whenever we make backwards incompatible changes
-export const CACHE_VERSION = 4;
+export const CACHE_VERSION = 6;
 
 // lockfile version, bump whenever we make backwards incompatible changes
 export const LOCKFILE_VERSION = 1;
diff --git a/src/fetchers/git-fetcher.js b/src/fetchers/git-fetcher.js
index 284d594384..8939d06d41 100644
--- a/src/fetchers/git-fetcher.js
+++ b/src/fetchers/git-fetcher.js
@@ -164,6 +164,7 @@ export default class GitFetcher extends BaseFetcher {
           binLinks: true,
           cwd: prepareDirectory,
           disablePrepublish: true,
+          production: false,
         },
         this.reporter,
       ),
diff --git a/src/fetchers/tarball-fetcher.js b/src/fetchers/tarball-fetcher.js
index b3d76c8bba..c06cc1101e 100644
--- a/src/fetchers/tarball-fetcher.js
+++ b/src/fetchers/tarball-fetcher.js
@@ -18,7 +18,7 @@ const gunzip = require('gunzip-maybe');
 const invariant = require('invariant');
 const ssri = require('ssri');
 
-const RE_URL_NAME_MATCH = /\/(?:(@[^/]+)\/)?[^/]+\/(?:-|_attachments)\/(?:@[^/]+\/)?([^/]+)$/;
+const RE_URL_NAME_MATCH = /\/(?:(@[^/]+)(?:\/|%2f))?[^/]+\/(?:-|_attachments)\/(?:@[^/]+\/)?([^/]+)$/;
 
 const isHashAlgorithmSupported = name => {
   const cachedResult = isHashAlgorithmSupported.__cache[name];
@@ -88,10 +88,12 @@ export default class TarballFetcher extends BaseFetcher {
     reject: (error: Error) => void,
     tarballPath?: string,
   ): {
-    validateStream: ssri.integrityStream,
+    hashValidateStream: stream.PassThrough,
+    integrityValidateStream: stream.PassThrough,
     extractorStream: stream.Transform,
   } {
-    const integrityInfo = this._supportedIntegrity();
+    const hashInfo = this._supportedIntegrity({hashOnly: true});
+    const integrityInfo = this._supportedIntegrity({hashOnly: false});
 
     const now = new Date();
 
@@ -124,7 +126,9 @@ export default class TarballFetcher extends BaseFetcher {
       },
     });
 
-    const validateStream = new ssri.integrityStream(integrityInfo);
+    const hashValidateStream = new ssri.integrityStream(hashInfo);
+    const integrityValidateStream = new ssri.integrityStream(integrityInfo);
+
     const untarStream = tarFs.extract(this.dest, {
       strip: 1,
       dmode: 0o755, // all dirs should be readable
@@ -132,16 +136,24 @@ export default class TarballFetcher extends BaseFetcher {
       chown: false, // don't chown. just leave as it is
       map: header => {
         header.mtime = now;
+        if (header.linkname) {
+          const basePath = path.posix.dirname(path.join('/', header.name));
+          const jailPath = path.posix.join(basePath, header.linkname);
+          header.linkname = path.posix.relative('/', jailPath);
+        }
         return header;
       },
       fs: patchedFs,
     });
     const extractorStream = gunzip();
 
-    validateStream.once('error', err => {
+    hashValidateStream.once('error', err => {
+      this.validateError = err;
+    });
+    integrityValidateStream.once('error', err => {
       this.validateError = err;
     });
-    validateStream.once('integrity', sri => {
+    integrityValidateStream.once('integrity', sri => {
       this.validateIntegrity = sri;
     });
 
@@ -159,9 +171,11 @@ export default class TarballFetcher extends BaseFetcher {
         this.remote.integrity !== this.validateIntegrity.toString()
       ) {
         this.remote.integrity = this.validateIntegrity.toString();
+      } else if (this.validateIntegrity) {
+        this.remote.cacheIntegrity = this.validateIntegrity.toString();
       }
 
-      if (integrityInfo.algorithms.length === 0) {
+      if (integrityInfo.integrity && Object.keys(integrityInfo.integrity).length === 0) {
         return reject(
           new SecurityError(
             this.config.reporter.lang('fetchBadIntegrityAlgorithm', this.packageName, this.remote.reference),
@@ -192,7 +206,7 @@ export default class TarballFetcher extends BaseFetcher {
       });
     });
 
-    return {validateStream, extractorStream};
+    return {hashValidateStream, integrityValidateStream, extractorStream};
   }
 
   getLocalPaths(override: ?string): Array<string> {
@@ -217,9 +231,16 @@ export default class TarballFetcher extends BaseFetcher {
       invariant(stream, 'stream should be available at this point');
       // $FlowFixMe - This is available https://nodejs.org/api/fs.html#fs_readstream_path
       const tarballPath = stream.path;
-      const {validateStream, extractorStream} = this.createExtractor(resolve, reject, tarballPath);
+      const {hashValidateStream, integrityValidateStream, extractorStream} = this.createExtractor(
+        resolve,
+        reject,
+        tarballPath,
+      );
+
+      stream.pipe(hashValidateStream);
+      hashValidateStream.pipe(integrityValidateStream);
 
-      stream.pipe(validateStream).pipe(extractorStream).on('error', err => {
+      integrityValidateStream.pipe(extractorStream).on('error', err => {
         reject(new MessageError(this.config.reporter.lang('fetchErrorCorrupt', err.message, tarballPath)));
       });
     });
@@ -243,19 +264,23 @@ export default class TarballFetcher extends BaseFetcher {
             const tarballMirrorPath = this.getTarballMirrorPath();
             const tarballCachePath = this.getTarballCachePath();
 
-            const {validateStream, extractorStream} = this.createExtractor(resolve, reject);
+            const {hashValidateStream, integrityValidateStream, extractorStream} = this.createExtractor(
+              resolve,
+              reject,
+            );
 
-            req.pipe(validateStream);
+            req.pipe(hashValidateStream);
+            hashValidateStream.pipe(integrityValidateStream);
 
             if (tarballMirrorPath) {
-              validateStream.pipe(fs.createWriteStream(tarballMirrorPath)).on('error', reject);
+              integrityValidateStream.pipe(fs.createWriteStream(tarballMirrorPath)).on('error', reject);
             }
 
             if (tarballCachePath) {
-              validateStream.pipe(fs.createWriteStream(tarballCachePath)).on('error', reject);
+              integrityValidateStream.pipe(fs.createWriteStream(tarballCachePath)).on('error', reject);
             }
 
-            validateStream.pipe(extractorStream).on('error', reject);
+            integrityValidateStream.pipe(extractorStream).on('error', reject);
           },
         },
         this.packageName,
@@ -311,8 +336,8 @@ export default class TarballFetcher extends BaseFetcher {
     return this.fetchFromLocal().catch(err => this.fetchFromExternal());
   }
 
-  _findIntegrity(): ?Object {
-    if (this.remote.integrity) {
+  _findIntegrity({hashOnly}: {hashOnly: boolean}): ?Object {
+    if (this.remote.integrity && !hashOnly) {
       return ssri.parse(this.remote.integrity);
     }
     if (this.hash) {
@@ -321,18 +346,18 @@ export default class TarballFetcher extends BaseFetcher {
     return null;
   }
 
-  _supportedIntegrity(): {integrity: ?Object, algorithms: Array<string>} {
-    const expectedIntegrity = this._findIntegrity() || {};
+  _supportedIntegrity({hashOnly}: {hashOnly: boolean}): {integrity: ?Object, algorithms: Array<string>} {
+    const expectedIntegrity = this._findIntegrity({hashOnly}) || {};
     const expectedIntegrityAlgorithms = Object.keys(expectedIntegrity);
     const shouldValidateIntegrity = (this.hash || this.remote.integrity) && !this.config.updateChecksums;
 
-    if (expectedIntegrityAlgorithms.length === 0 && !shouldValidateIntegrity) {
+    if (expectedIntegrityAlgorithms.length === 0 && (!shouldValidateIntegrity || hashOnly)) {
       const algorithms = this.config.updateChecksums ? ['sha512'] : ['sha1'];
       // for consistency, return sha1 for packages without a remote integrity (eg. github)
       return {integrity: null, algorithms};
     }
 
-    const algorithms = new Set();
+    const algorithms = new Set(['sha512', 'sha1']);
     const integrity = {};
     for (const algorithm of expectedIntegrityAlgorithms) {
       if (isHashAlgorithmSupported(algorithm)) {
diff --git a/src/hoisted-tree-builder.js b/src/hoisted-tree-builder.js
index e8f1b2c50a..b24ea72c59 100644
--- a/src/hoisted-tree-builder.js
+++ b/src/hoisted-tree-builder.js
@@ -15,7 +15,7 @@ export type HoistedTree = {
 export type HoistedTrees = Array<HoistedTree>;
 
 export function getParent(key: string, treesByKey: Object): Object {
-  const parentKey = key.split('#').slice(0, -1).join('#');
+  const parentKey = key.slice(0, key.lastIndexOf('#'));
   return treesByKey[parentKey];
 }
 
diff --git a/src/lockfile/index.js b/src/lockfile/index.js
index 808cc81943..5926106dfb 100644
--- a/src/lockfile/index.js
+++ b/src/lockfile/index.js
@@ -179,6 +179,11 @@ export default class Lockfile {
       reporter.info(reporter.lang('noLockfileFound'));
     }
 
+    if (lockfile && lockfile.__metadata) {
+      const lockfilev2 = lockfile;
+      lockfile = {};
+    }
+
     return new Lockfile({cache: lockfile, source: rawLockfile, parseResultType: parseResult && parseResult.type});
   }
 
diff --git a/src/package-compatibility.js b/src/package-compatibility.js
index 145f931094..d380b44a70 100644
--- a/src/package-compatibility.js
+++ b/src/package-compatibility.js
@@ -52,6 +52,7 @@ const ignore = [
   'teleport', // a module bundler used by some modules
   'rhino', // once a target for older modules
   'cordovaDependencies', // http://bit.ly/2tkUePg
+  'parcel', // used for plugins of the Parcel bundler
 ];
 
 type Versions = {
diff --git a/src/package-fetcher.js b/src/package-fetcher.js
index 3f4c24e42e..0582dc6c57 100644
--- a/src/package-fetcher.js
+++ b/src/package-fetcher.js
@@ -4,13 +4,39 @@ import type {FetchedMetadata, Manifest, PackageRemote} from './types.js';
 import type {Fetchers} from './fetchers/index.js';
 import type PackageReference from './package-reference.js';
 import type Config from './config.js';
-import {MessageError} from './errors.js';
+import {MessageError, SecurityError} from './errors.js';
 import * as fetchers from './fetchers/index.js';
 import * as fs from './util/fs.js';
 import * as promise from './util/promise.js';
 
-async function fetchCache(dest: string, fetcher: Fetchers, config: Config): Promise<FetchedMetadata> {
-  const {hash, package: pkg} = await config.readPackageMetadata(dest);
+const ssri = require('ssri');
+
+async function fetchCache(
+  dest: string,
+  fetcher: Fetchers,
+  config: Config,
+  remote: PackageRemote,
+): Promise<FetchedMetadata> {
+  // $FlowFixMe: This error doesn't make sense
+  const {hash, package: pkg, remote: cacheRemote} = await config.readPackageMetadata(dest);
+
+  const cacheIntegrity = cacheRemote.cacheIntegrity || cacheRemote.integrity;
+  const cacheHash = cacheRemote.hash;
+
+  if (remote.integrity) {
+    if (!cacheIntegrity || !ssri.parse(cacheIntegrity).match(remote.integrity)) {
+      throw new SecurityError(
+        config.reporter.lang('fetchBadIntegrityCache', pkg.name, cacheIntegrity, remote.integrity),
+      );
+    }
+  }
+
+  if (remote.hash) {
+    if (!cacheHash || cacheHash !== remote.hash) {
+      throw new SecurityError(config.reporter.lang('fetchBadHashCache', pkg.name, cacheHash, remote.hash));
+    }
+  }
+
   await fetcher.setupMirrorFromCache();
   return {
     package: pkg,
@@ -40,7 +66,7 @@ export async function fetchOneRemote(
 
   const fetcher = new Fetcher(dest, remote, config);
   if (await config.isValidModuleDest(dest)) {
-    return fetchCache(dest, fetcher, config);
+    return fetchCache(dest, fetcher, config, remote);
   }
 
   // remove as the module may be invalid
diff --git a/src/package-hoister.js b/src/package-hoister.js
index 84a873184a..dc8990018d 100644
--- a/src/package-hoister.js
+++ b/src/package-hoister.js
@@ -835,6 +835,15 @@ export default class PackageHoister {
       // up of modules from different registries so we need to handle this specially
       const parts: Array<string> = [];
       const keyParts = key.split('#');
+      const isWorkspaceEntry = this.workspaceLayout && keyParts[0] === this.workspaceLayout.virtualManifestName;
+
+      // Don't add the virtual manifest (keyParts.length === 1)
+      // or ws childs which were not hoisted to the root (keyParts.length === 2).
+      // If a ws child was hoisted its key would not contain the virtual manifest name
+      if (isWorkspaceEntry && keyParts.length <= 2) {
+        continue;
+      }
+
       for (let i = 0; i < keyParts.length; i++) {
         const key = keyParts.slice(0, i + 1).join('#');
         const hoisted = this.tree.get(key);
@@ -843,16 +852,26 @@ export default class PackageHoister {
         parts.push(keyParts[i]);
       }
 
-      const shallowLocs = [];
-      if (this.config.modulesFolder) {
-        // remove the first part which will be the folder name and replace it with a
-        // hardcoded modules folder
-        parts.splice(0, 1, this.config.modulesFolder);
+      // Check if the destination is pointing to a sub folder of the virtualManifestName
+      // e.g. _project_/node_modules/workspace-aggregator-123456/node_modules/workspaceChild/node_modules/dependency
+      // This probably happened because the hoister was not able to hoist the workspace child to the root
+      // So we have to change the folder to the workspace package location
+      if (this.workspaceLayout && isWorkspaceEntry) {
+        const wspPkg = this.workspaceLayout.workspaces[keyParts[1]];
+        invariant(wspPkg, `expected workspace package to exist for "${keyParts[1]}"`);
+        parts.splice(0, 4, wspPkg.loc);
       } else {
-        // first part will be the registry-specific module folder
-        parts.splice(0, 0, this.config.lockfileFolder);
+        if (this.config.modulesFolder) {
+          // remove the first part which will be the folder name and replace it with a
+          // hardcoded modules folder
+          parts.splice(0, 1, this.config.modulesFolder);
+        } else {
+          // first part will be the registry-specific module folder
+          parts.splice(0, 0, this.config.lockfileFolder);
+        }
       }
 
+      const shallowLocs = [];
       info.shallowPaths.forEach(shallowPath => {
         const shallowCopyParts = parts.slice();
         shallowCopyParts[0] = this.config.cwd;
diff --git a/src/package-linker.js b/src/package-linker.js
index 66ae879872..59ca3e8204 100644
--- a/src/package-linker.js
+++ b/src/package-linker.js
@@ -251,10 +251,6 @@ export default class PackageLinker {
       } else if (workspaceLayout && remote.type === 'workspace' && !isShallow) {
         src = remote.reference;
         type = 'symlink';
-        if (dest.indexOf(workspaceLayout.virtualManifestName) !== -1) {
-          // we don't need to install virtual manifest
-          continue;
-        }
         // to get real path for non hoisted dependencies
         symlinkPaths.set(dest, src);
       } else {
@@ -350,6 +346,10 @@ export default class PackageLinker {
               for (const subfile of await fs.readdir(filepath)) {
                 possibleExtraneous.add(path.join(filepath, subfile));
               }
+            } else if (file[0] === '.' && file !== '.bin') {
+              if (!(await fs.lstat(filepath)).isDirectory()) {
+                possibleExtraneous.add(filepath);
+              }
             } else {
               possibleExtraneous.add(filepath);
             }
diff --git a/src/rc.js b/src/rc.js
index 4771665889..973d86d714 100644
--- a/src/rc.js
+++ b/src/rc.js
@@ -1,6 +1,6 @@
 /* @flow */
 
-import {readFileSync} from 'fs';
+import {existsSync, readFileSync} from 'fs';
 import {dirname, resolve} from 'path';
 
 import commander from 'commander';
@@ -35,13 +35,23 @@ export function getRcConfigForCwd(cwd: string, args: Array<string>): {[key: stri
     const value = args[index + 1];
 
     if (value && value.charAt(0) !== '-') {
-      Object.assign(config, loadRcFile(readFileSync(value).toString(), value));
+      Object.assign(config, loadRcFile(readFileSync(value, 'utf8'), value));
     }
   }
 
   return config;
 }
 
+export function getRcConfigForFolder(cwd: string): {[key: string]: string} {
+  const filePath = resolve(cwd, '.yarnrc');
+  if (!existsSync(filePath)) {
+    return {};
+  }
+
+  const fileText = readFileSync(filePath, 'utf8');
+  return loadRcFile(fileText, filePath);
+}
+
 function loadRcFile(fileText: string, filePath: string): {[key: string]: string} {
   let {object: values} = parse(fileText, 'yarnrc');
 
diff --git a/src/registries/npm-registry.js b/src/registries/npm-registry.js
index f1fb3786b7..083b8c1bab 100644
--- a/src/registries/npm-registry.js
+++ b/src/registries/npm-registry.js
@@ -22,6 +22,7 @@ import url from 'url';
 import ini from 'ini';
 
 const DEFAULT_REGISTRY = 'https://registry.npmjs.org/';
+const REGEX_REGISTRY_ENFORCED_HTTPS = /^https?:\/\/([^\/]+\.)?(yarnpkg\.com|npmjs\.(org|com))(\/|$)/;
 const REGEX_REGISTRY_HTTP_PROTOCOL = /^https?:/i;
 const REGEX_REGISTRY_PREFIX = /^(https?:)?\/\//i;
 const REGEX_REGISTRY_SUFFIX = /registry\/?$/;
@@ -112,13 +113,17 @@ export default class NpmRegistry extends Registry {
   }
 
   getRequestUrl(registry: string, pathname: string): string {
-    const isUrl = REGEX_REGISTRY_PREFIX.test(pathname);
+    let resolved = pathname;
 
-    if (isUrl) {
-      return pathname;
-    } else {
-      return url.resolve(addSuffix(registry, '/'), pathname);
+    if (!REGEX_REGISTRY_PREFIX.test(pathname)) {
+      resolved = url.resolve(addSuffix(registry, '/'), pathname);
     }
+
+    if (REGEX_REGISTRY_ENFORCED_HTTPS.test(resolved)) {
+      resolved = resolved.replace(/^http:\/\//, 'https://');
+    }
+
+    return resolved;
   }
 
   isRequestToRegistry(requestUrl: string, registryUrl: string): boolean {
diff --git a/src/reporters/lang/en.js b/src/reporters/lang/en.js
index 816446cdfd..e376e969b3 100644
--- a/src/reporters/lang/en.js
+++ b/src/reporters/lang/en.js
@@ -26,7 +26,8 @@ const messages = {
   couldntClearPackageFromCache: "Couldn't clear package $0 from cache",
   clearedPackageFromCache: 'Cleared package $0 from cache',
   packWroteTarball: 'Wrote tarball to $0.',
-
+  invalidBinField: 'Invalid bin field for $0.',
+  invalidBinEntry: 'Invalid bin entry for $1 (in $0).',
   helpExamples: '  Examples:\n$0\n',
   helpCommands: '  Commands:\n$0\n',
   helpCommandsMore: '  Run `$0` for more information on specific commands.',
@@ -346,6 +347,10 @@ const messages = {
   requestError: 'Request $0 returned a $1',
   requestFailed: 'Request failed $0',
   tarballNotInNetworkOrCache: '$0: Tarball is not in network and can not be located in cache ($1)',
+  fetchBadIntegrityCache:
+    'Incorrect integrity when fetching from the cache for $0. Cache has $1 and remote has $2. Run `yarn cache clean` to fix the problem',
+  fetchBadHashCache:
+    'Incorrect hash when fetching from the cache for $0. Cache has $1 and remote has $2. Run `yarn cache clean` to fix the problem',
   fetchBadHashWithPath: "Integrity check failed for $0 (computed integrity doesn't match our records, got $2)",
   fetchBadIntegrityAlgorithm: 'Integrity checked failed for $0 (none of the specified algorithms are supported)',
   fetchErrorCorrupt:
@@ -353,6 +358,7 @@ const messages = {
   errorExtractingTarball: 'Extracting tar content of $1 failed, the file appears to be corrupt: $0',
   updateInstalling: 'Installing $0...',
   hostedGitResolveError: 'Error connecting to repository. Please, check the url.',
+  unauthorizedResponse: 'Received a 401 from $0. $1',
 
   unknownFetcherFor: 'Unknown fetcher for $0',
 
@@ -361,6 +367,9 @@ const messages = {
 
   unplugDisabled: "Packages can only be unplugged when Plug'n'Play is enabled.",
 
+  plugnplaySuggestV2L1: "Plug'n'Play support has been greatly improved on the Yarn v2 development branch.",
+  plugnplaySuggestV2L2:
+    'Please give it a try and tell us what you think! - https://next.yarnpkg.com/getting-started/install',
   plugnplayWindowsSupport: "Plug'n'Play on Windows doesn't support the cache and project to be kept on separate drives",
 
   packageInstalledWithBinaries: 'Installed $0 with binaries:',
diff --git a/src/resolvers/exotics/link-resolver.js b/src/resolvers/exotics/link-resolver.js
index a49d52ba8d..cc27abc8ea 100644
--- a/src/resolvers/exotics/link-resolver.js
+++ b/src/resolvers/exotics/link-resolver.js
@@ -30,9 +30,10 @@ export default class LinkResolver extends ExoticResolver {
     const name = path.basename(loc);
     const registry: RegistryNames = 'npm';
 
-    const manifest: Manifest = !await fs.exists(`${loc}/package.json`)
-      ? {_uid: '', name, version: '0.0.0', _registry: registry}
-      : await this.config.readManifest(loc, this.registry);
+    const manifest: Manifest =
+      !await fs.exists(`${loc}/package.json`) || loc === this.config.lockfileFolder
+        ? {_uid: '', name, version: '0.0.0', _registry: registry}
+        : await this.config.readManifest(loc, this.registry);
 
     manifest._remote = {
       type: 'link',
diff --git a/src/types.js b/src/types.js
index 442b54ff7d..f776508c5f 100644
--- a/src/types.js
+++ b/src/types.js
@@ -56,6 +56,7 @@ export type PackageRemote = {
   resolved?: ?string,
   hash: ?string,
   integrity?: ?string,
+  cacheIntegrity?: ?string,
   packageName?: string,
   registryRemote?: ?PackageRemote,
 };
diff --git a/src/util/execute-lifecycle-script.js b/src/util/execute-lifecycle-script.js
index dcbbc008d2..f5db0821b4 100644
--- a/src/util/execute-lifecycle-script.js
+++ b/src/util/execute-lifecycle-script.js
@@ -18,7 +18,13 @@ export type LifecycleReturn = Promise<{
   stdout: string,
 }>;
 
-export const IGNORE_MANIFEST_KEYS: Set<string> = new Set(['readme', 'notice', 'licenseText']);
+export const IGNORE_MANIFEST_KEYS: Set<string> = new Set([
+  'readme',
+  'notice',
+  'licenseText',
+  'activationEvents',
+  'contributes',
+]);
 
 // We treat these configs as internal, thus not expose them to process.env.
 // This helps us avoid some gyp issues when building native modules.
diff --git a/src/util/generate-pnp-map-api.tpl.js b/src/util/generate-pnp-map-api.tpl.js
index 835b6f85f1..c44db3605a 100644
--- a/src/util/generate-pnp-map-api.tpl.js
+++ b/src/util/generate-pnp-map-api.tpl.js
@@ -714,7 +714,7 @@ exports.setup = function setup() {
       return originalFindPath.call(Module, request, paths, isMain);
     }
 
-    for (const path of paths) {
+    for (const path of paths || []) {
       let resolution;
 
       try {
diff --git a/src/util/hooks.js b/src/util/hooks.js
index 90cd57b4a2..e3649d99a8 100644
--- a/src/util/hooks.js
+++ b/src/util/hooks.js
@@ -1,10 +1,10 @@
 /* @flow */
 
-export type YarnHook = 'resolveStep' | 'fetchStep' | 'linkStep' | 'buildStep' | 'pnpStep' | 'auditStep';
+export type YarnHook = 'resolveStep' | 'fetchStep' | 'linkStep' | 'buildStep' | 'pnpStep' | 'auditStep' | 'runScript';
 
 const YARN_HOOKS_KEY = 'experimentalYarnHooks';
 
-export function callThroughHook<T>(type: YarnHook, fn: () => T): T {
+export function callThroughHook<T>(type: YarnHook, fn: () => T, context?: any): T {
   if (typeof global === 'undefined') {
     return fn();
   }
@@ -13,11 +13,11 @@ export function callThroughHook<T>(type: YarnHook, fn: () => T): T {
     return fn();
   }
 
-  const hook: (() => T) => T = global[YARN_HOOKS_KEY][type];
+  const hook: (() => T, context?: any) => T = global[YARN_HOOKS_KEY][type];
 
   if (!hook) {
     return fn();
   }
 
-  return hook(fn);
+  return hook(fn, context);
 }
diff --git a/src/util/normalize-manifest/fix.js b/src/util/normalize-manifest/fix.js
index 95d19262a1..ef7b7798d6 100644
--- a/src/util/normalize-manifest/fix.js
+++ b/src/util/normalize-manifest/fix.js
@@ -2,7 +2,7 @@
 
 import {MANIFEST_FIELDS} from '../../constants';
 import type {Reporter} from '../../reporters/index.js';
-import {isValidLicense} from './util.js';
+import {isValidBin, isValidLicense} from './util.js';
 import {normalizePerson, extractDescription} from './util.js';
 import {hostedGitFragmentToGitUrl} from '../../resolvers/index.js';
 import inferLicense from './infer-license.js';
@@ -12,6 +12,8 @@ const semver = require('semver');
 const path = require('path');
 const url = require('url');
 
+const VALID_BIN_KEYS = /^(?!\.{0,2}$)[a-z0-9._-]+$/i;
+
 const LICENSE_RENAMES: {[key: string]: ?string} = {
   'MIT/X11': 'MIT',
   X11: 'MIT',
@@ -159,6 +161,24 @@ export default (async function(
     info.bin = {[name]: info.bin};
   }
 
+  // Validate that the bin entries reference only files within their package, and that
+  // their name is a valid file name
+  if (typeof info.bin === 'object' && info.bin !== null) {
+    const bin: Object = info.bin;
+    for (const key of Object.keys(bin)) {
+      const target = bin[key];
+      if (!VALID_BIN_KEYS.test(key) || !isValidBin(target)) {
+        delete bin[key];
+        warn(reporter.lang('invalidBinEntry', info.name, key));
+      } else {
+        bin[key] = path.normalize(target);
+      }
+    }
+  } else if (typeof info.bin !== 'undefined') {
+    delete info.bin;
+    warn(reporter.lang('invalidBinField', info.name));
+  }
+
   // bundleDependencies is an alias for bundledDependencies
   if (info.bundledDependencies) {
     info.bundleDependencies = info.bundledDependencies;
diff --git a/src/util/normalize-manifest/resolve-relative.js b/src/util/normalize-manifest/resolve-relative.js
index 5617f59a0b..5535cff40c 100644
--- a/src/util/normalize-manifest/resolve-relative.js
+++ b/src/util/normalize-manifest/resolve-relative.js
@@ -44,7 +44,9 @@ export default function(info: Object, moduleLoc: string, lockfileFolder: string)
       const absoluteTarget = path.resolve(lockfileFolder, moduleLoc, unprefixed);
       let relativeTarget = path.relative(lockfileFolder, absoluteTarget) || '.';
 
-      if (hasPathPrefix) {
+      if (absoluteTarget === lockfileFolder) {
+        relativeTarget = '.';
+      } else if (hasPathPrefix) {
         // TODO: This logic should be removed during the next major bump
         // If the original value was using the "./" prefix, then we output a similar path.
         // We need to do this because otherwise it would cause problems with already existing
diff --git a/src/util/normalize-manifest/util.js b/src/util/normalize-manifest/util.js
index 73f904882c..7d30f6106b 100644
--- a/src/util/normalize-manifest/util.js
+++ b/src/util/normalize-manifest/util.js
@@ -2,12 +2,19 @@
 
 import type {PersonObject} from '../../types.js';
 
+const path = require('path');
 const validateLicense = require('validate-npm-package-license');
 
+const PARENT_PATH = /^\.\.([\\\/]|$)/;
+
 export function isValidLicense(license: string): boolean {
   return !!license && validateLicense(license).validForNewPackages;
 }
 
+export function isValidBin(bin: string): boolean {
+  return !path.isAbsolute(bin) && !PARENT_PATH.test(path.normalize(bin));
+}
+
 export function stringifyPerson(person: mixed): any {
   if (!person || typeof person !== 'object') {
     return person;
diff --git a/src/util/request-manager.js b/src/util/request-manager.js
index 8756139f14..fd41bf2100 100644
--- a/src/util/request-manager.js
+++ b/src/util/request-manager.js
@@ -373,6 +373,11 @@ export default class RequestManager {
       rejectNext(err);
     };
 
+    const rejectWithoutUrl = function(err) {
+      err.message = err.message;
+      rejectNext(err);
+    };
+
     const queueForRetry = reason => {
       const attempts = params.retryAttempts || 0;
       if (attempts >= this.maxRetryAttempts - 1) {
@@ -428,6 +433,11 @@ export default class RequestManager {
           }
         }
 
+        if (res.statusCode === 401 && res.caseless && res.caseless.get('server') === 'GitHub.com') {
+          const message = `${res.body.message}. If using GITHUB_TOKEN in your env, check that it is valid.`;
+          rejectWithoutUrl(new Error(this.reporter.lang('unauthorizedResponse', res.caseless.get('server'), message)));
+        }
+
         if (res.statusCode === 401 && res.headers['www-authenticate']) {
           const authMethods = res.headers['www-authenticate'].split(/,\s*/).map(s => s.toLowerCase());