Revisit Usage of Yarn as a dependency (or at least upgrade it)

[vidarc]

Is your feature request related to a problem? Please describe.
Yarn is currently used as a direct dependency, https://github.com/oclif/plugin-plugins/blob/main/package.json#L18. This version of yarn being used is no longer being maintained and now even has a CVE opened against it https://nvd.nist.gov/vuln/detail/CVE-2025-8262

Describe the solution you'd like
A solution that doesn't involve making a package manager a direct dependency (or at the very least, an upgrade to the latest line of yarn, which is 4.x.x).

Additional context
Some relevant threads (where it said usage with other versions was being worked on, but that was years ago)
#203
#71

[mdonnalley]

@vidarc That's a great question

v5 originally removed yarn altogether (see #776) but soon after that was released, we got an issue about sf plugins link no longer working on yarn projects, so we patched it with #841

Yarn is problematic for a couple reasons:

• you get non-deterministic yarn versions if you depend on the user's global yarn. If I recall, yarn has some weird trickery where the user could have downloaded yarn@1 but then configured it to run yarn@4. I seem to remember trying several approaches to accurately determine the global version but none of them seemed good enough (although I'm not ruling out my own incompetence - feel free to try for yourself)
• yarn@1 is the only version of yarn on the npm registry (source). So we can't actually upgrade to the latest

My preferred solution is drop the auto-install functionality of plugins link (i.e. make --no-install the default and only behavior) then we'd be able to drop yarn entirely. But that would be a breaking change and one that we (the Salesforce CLI) aren't ready to push on all our plugins providers

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.