Audit & Fix your NPM packages when using Yarn

Yarn is a nice alternative to NPM, with pretty much feature parity and, depending on the version, some speed benefits too, though these days perhaps slightly less so as compared to a few years ago.
While there's pretty much feature parity, there's one area where Yarn is missing one somewhat crucial feature; fixing security issues. Yarn does have yarn audit
which behaves the same as npm audit
, but as of this writing there is no Yarn equivalent of npm audit fix
. I'm sure it'll come sooner or later, but for now we'll have to wait. A "heated" Github issue exists for this, but there has not been a useful update just yet.
For right now though, when you're using Yarn and need to fix some vulnerabilities, you can either do this manually for each vulnerability, or we can temporarily use NPM to run thexe fixes. Here's how you can do the latter choice.
First, we'll use npm to create a temporary package-lock.json
file:
npm i --package-lock-only
Using the --package-lock-only
flag we don't actually install any packages, as that's what we're using Yarn for after all.
Next, delete your yarn.lock
file:
rm yarn.lock
Now let's run audit fix
to actually fix all vulnerabilities:
npm audit fix
Depending on what vulnerabilities were found, this step might require manual additional steps too if, for example, a specific package's fix is only available in a backwards compatibility breaking update.
Be sure to follow the steps as described and to test your application/website after running these fixes to ensure things are still working as they should. Not all packages are truly fully backwards compatible, so there's always a chance something needs a small fix or two.
Once you have finished this step, we can now bring things back to Yarn by letting it import the NPM lock file and create a new yarn.lock
file:
yarn import
After this, you can now safely delete the package-lock.json
file again:
rm package-lock.json
That's it! Commit your changes, and you can go back to using Yarn.
If your project only has one or two vulnerabilities, it might be easier to just manually update those packages, but this is a fairly easy way to fix multiple vulnerabilities, at least until Yarn adds this functionality of course.
I hope this helps.
Thank you.