is there a yarn alternative for npm audit?
Solution 1:
Yarn doesn't have npm audit fix
.
But here's how to do it by using npm
– temporarily.
- Generate a
package-lock.json
file without installing node modules
npm i --package-lock-only
- Fix the packages and update the
package-lock.json
file
npm audit fix
- Delete the
yarn.lock
file and convertpackage-lock.json
file intoyarn.lock
rm yarn.lock
yarn import
- Delete the
package-lock.json
file
rm package-lock.json
For example:
yarn audit
38363 vulnerabilities found - Packages audited: 908342
Severity: 38352 Low | 11 Moderate
(I know. react-scripts
is crazy...)
npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm i --package-lock-only
...
added 266 packages, removed 354 packages, updated 1653 packages, moved 1 package and audited 913793 packages in 54.304s
found 495 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix
...
added 267 packages from 152 contributors, removed 355 packages and updated 1712 packages in 92.849s
50 packages are looking for funding
run `npm fund` for details
fixed 211 of 495 vulnerabilities in 913793 scanned packages
284 vulnerabilities required manual review and could not be updated
git status -s
?? package-lock.json
yarn import
yarn import v1.21.1
info found npm package-lock.json, converting to yarn.lock
...
success Saved lockfile.
✨ Done in 25.61s
rm package-lock.json
Solution 2:
yarn audit
/ yarn install --audit
has been available since [email protected]
https://github.com/yarnpkg/yarn/releases/tag/v1.12.0
Unfortunately no --fix
option yet, but as workaround you can use https://www.npmjs.com/package/yarn-audit-fix
Solution 3:
Yes, you can use yarn audit
to audit for vulnerability but you can't fix the Vulnerabilities by using yarn audit fix
as you can do in npm audit fix
.
To fix the Vulnerabilities in yarn.lock
file you have to reinstall the package(which is carrying the Vulnerability) to its newer version by using yarn add package_name
you can read the issue here => https://github.com/yarnpkg/yarn/issues/7075
Solution 4:
I thinks that it's not ready on yarn. You can refer to the following issue. https://github.com/yarnpkg/yarn/issues/5808