Yarn is a nice alternative to NPM, with pretty much feature parity and, depending on the version, some speed benefits too, though these days perhaps slightly less so as compared to a few years ago.
While there's pretty much feature parity, there's one area where Yarn is missing one somewhat crucial feature; fixing security issues. Yarn does have
yarn audit which behaves the same as
npm audit, but as of this writing there is no Yarn equivalent of
npm audit fix. I'm sure it'll come sooner or later, but for now we'll have to wait. A "heated" Github issue exists for this, but there has not been a useful update just yet.
For right now though, when you're using Yarn and need to fix some vulnerabilities, you can either do this manually for each vulnerability, or we can temporarily use NPM to run thexe fixes. Here's how you can do the latter choice.
First, we'll use npm to create a temporary
npm i --package-lock-only
--package-lock-only flag we don't actually install any packages, as that's what we're using Yarn for after all.
Next, delete your
Now let's run
audit fix to actually fix all vulnerabilities:
npm audit fix
Depending on what vulnerabilities were found, this step might require manual additional steps too if, for example, a specific package's fix is only available in a backwards compatibility breaking update.
Be sure to follow the steps as described and to test your application/website after running these fixes to ensure things are still working as they should. Not all packages are truly fully backwards compatible, so there's always a chance something needs a small fix or two.
Once you have finished this step, we can now bring things back to Yarn by letting it import the NPM lock file and create a new
After this, you can now safely delete the
package-lock.json file again:
That's it! Commit your changes, and you can go back to using Yarn.
If your project only has one or two vulnerabilities, it might be easier to just manually update those packages, but this is a fairly easy way to fix multiple vulnerabilities, at least until Yarn adds this functionality of course.
I hope this helps.