is there a yarn alternative for npm audit?

Solution 1:

Yarn doesn't have npm audit fix.

But here's how to do it by using npm – temporarily.

  1. Generate a package-lock.json file without installing node modules
npm i --package-lock-only
  1. Fix the packages and update the package-lock.json file
npm audit fix
  1. Delete the yarn.lock file and convert package-lock.json file into yarn.lock
rm yarn.lock
yarn import
  1. Delete the package-lock.json file
rm package-lock.json

For example:

yarn audit

38363 vulnerabilities found - Packages audited: 908342
Severity: 38352 Low | 11 Moderate

(I know. react-scripts is crazy...)

npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm i --package-lock-only

...
added 266 packages, removed 354 packages, updated 1653 packages, moved 1 package and audited 913793 packages in 54.304s
found 495 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix

...
added 267 packages from 152 contributors, removed 355 packages and updated 1712 packages in 92.849s

50 packages are looking for funding
  run `npm fund` for details

fixed 211 of 495 vulnerabilities in 913793 scanned packages
  284 vulnerabilities required manual review and could not be updated
git status -s

?? package-lock.json
yarn import

yarn import v1.21.1
info found npm package-lock.json, converting to yarn.lock
...
success Saved lockfile.
✨  Done in 25.61s
rm package-lock.json

Solution 2:

yarn audit / yarn install --audit has been available since [email protected]

https://github.com/yarnpkg/yarn/releases/tag/v1.12.0

Unfortunately no --fix option yet, but as workaround you can use https://www.npmjs.com/package/yarn-audit-fix

Solution 3:

Yes, you can use yarn audit to audit for vulnerability but you can't fix the Vulnerabilities by using yarn audit fix as you can do in npm audit fix.

To fix the Vulnerabilities in yarn.lock file you have to reinstall the package(which is carrying the Vulnerability) to its newer version by using yarn add package_name

you can read the issue here => https://github.com/yarnpkg/yarn/issues/7075

Solution 4:

I thinks that it's not ready on yarn. You can refer to the following issue. https://github.com/yarnpkg/yarn/issues/5808