VA Technical Reference Model v 24.11

The following reference(s) are associated with this entry:

Note: This list may not be complete. No component, listed or unlisted, may be used outside of the technology in which it is released. The usage decision for a component is found in the Decision and Decision Constraints.

• This entry is available as an open source technology.

• macOS - Authorized w/ Constraints
• Red Hat Enterprise Linux (RHEL) - Authorized w/ Constraints
• Windows Client - Authorized w/ Constraints

Runtime Dependencies:

• No runtime dependencies have been identified.

Optional Dependencies:

• No optional dependencies have been identified.

Comparable Technologies:

• Node Package Manager (NPM) - Authorized w/ Constraints
• NuGet - Authorized w/ Constraints

Companion Technologies/Supported Standards:

• JavaScript - Authorized
• JavaScript Object Notation Data Interchange Standard (JSON) - Authorized
• Secure Sockets Layer (SSL) - Authorized w/ Constraints (POA&M)
• TypeScript - Authorized w/ Constraints

Adoption Benefits

• This is a well-documented technology.
• This technology may improve productivity for specific staff whose responsibilities include installing, upgrading, and configuring software in the organization’s library.
• This technology is available at no cost through open-source licensing and supports VA's open-source initiative.
• There are minimal other TRM-authorized technologies that provide the same functionality.

Adoption Risks

• IPR/SAR Adoption Risk - The product is not Federal Information Processing Standards (FIPS) 140-2 (or its successor) certified.
• IPR/SAR Adoption Risk - Yarn is an open-source solution.
• IPR/SAR Adoption Risk - Yarn has the capability of being used with Artificial Intelligence (AI) platforms and their Application Programming Interfaces (APIs).
• IPR/SAR Adoption Risk - There are published vulnerabilities that affect various versions and implementations of this software.
• IPR/SAR Adoption Risk - Yarn has the capability to connect with other applications through the use of APIs and plugins.
• IPR/SAR Adoption Risk - Yarn is listed as previously unapproved in the VA TRM.
• IPR/SAR Adoption Risk - Yarn was created in collaboration with American/multinational companies and an international company named Tilde.
• There are known Common Vulnerabilities and Exposures (CVEs) associated with this technology. Please see <a href = "https://nvd.NIST.gov/vuln/search" target="_blank">https://nvd.NIST.gov/vuln/search</a> for more details.
• Due to the rapid release schedule of this technology, the VA may be unable to update to the most recent patch and may require a deployment model requiring the use of specific versions.
• There are other authorized solutions that provide similar functionality available on the TRM. The use of several similar solutions may increase organization requirements for support and maintenance.
• This technology can potentially use Secure Sockets Layer (SSL), a protocol which requires a POA&M for use on the VA network.
• As open-source software, this product may be left without clearly defined support options which may result in suboptimal enterprise level support.

Architectural Benefits

• This technology is portable as it runs on multiple TRM-authorized operating systems.