I'm looking for a way to audit dependencies for vulnerabilities in Yarn 2. In Yarn 1.x it was possible the same was as in npm
, by running yarn audit
instead of npm audit
. But with Yarn 2 there is no such command. And according to this issue on the berry github, it won't be implemented (project maintainers prefer it was done via plugin).
I have tried running npm install --package-lock-only && npm audit
but the install chokes on some of my local packages (which I am listing in package.json using the link:
url type).
It wouldn't be a complex plugin to build and I'm up for some fun doing so, but it would not be so muchfun as just installing something and then going about my day. I have looked around but always end up at the same couple of vapourware / abandonware repos.
But I still guess that I'm just not finding them. Or there's an undocumented trick for making it easy. Hence my question :)
PS, yeah I can delete the local packages using link:
temporarily while I run the npm install
and npm audit
commands above, but it's not exactly the kind of thing I want to try and automate for CI.
Update (28-Oct-2020):
Yarn 2 just merged long-awaited yarn npm audit
enhancement.
PR - https://github.com/yarnpkg/berry/pull/1892
Docs - https://yarnpkg.com/cli/npm/audit
I was experimenting with Yarn 2 recently, and I saw that you can do this with @efrem/auditdeps utility:
yarn dlx @efrem/auditdeps [--level=(low|moderate|high|critical)] [--production]
The output is not as pretty as from npm audit
, but you get more details in JSON format and you can pipe it to other tools or to any custom reformatting script to get exactly what you want.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With