Menu
need pinned resolution feature of yarn, but also want to audit with npm audit? Is there a yarn alternative to npm audit? Or, alternately, will pinning resolutions of dependencies of dependencies work in npm?
646
As previously mentioned, there is no yarn audit fix command. This package attempts to replicate the npm audit fix command functionality in yarn. It can be quite a useful tool for actually fixing vulnerabilities found by other tools on this list.
Today, npm audit is broken by design. Beginners, experienced developers, maintainers, security departments, and, most importantly — our users — deserve better.
You can skip auditing at all by adding the --no-audit flag.
Yarn doesn't have npm audit fix.
But here's how to do it by using npm – temporarily.
package-lock.json file without installing node modulesnpm i --package-lock-only package-lock.json filenpm audit fix yarn.lock file and convert package-lock.json file into yarn.lock rm yarn.lock yarn import package-lock.json filerm package-lock.json yarn audit 38363 vulnerabilities found - Packages audited: 908342 Severity: 38352 Low | 11 Moderate (I know. react-scripts is crazy...)
npm audit npm ERR! code EAUDITNOLOCK npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile npm ERR! audit Try creating one first with: npm i --package-lock-only npm i --package-lock-only ... added 266 packages, removed 354 packages, updated 1653 packages, moved 1 package and audited 913793 packages in 54.304s found 495 low severity vulnerabilities run `npm audit fix` to fix them, or `npm audit` for details npm audit fix ... added 267 packages from 152 contributors, removed 355 packages and updated 1712 packages in 92.849s 50 packages are looking for funding run `npm fund` for details fixed 211 of 495 vulnerabilities in 913793 scanned packages 284 vulnerabilities required manual review and could not be updated git status -s ?? package-lock.json yarn import yarn import v1.21.1 info found npm package-lock.json, converting to yarn.lock ... success Saved lockfile. ✨ Done in 25.61s rm package-lock.json yarn audit / yarn install --audit has been available since [email protected]
https://github.com/yarnpkg/yarn/releases/tag/v1.12.0
Unfortunately no --fix option yet, but as workaround you can use https://www.npmjs.com/package/yarn-audit-fix
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
