Audit & Fix your NPM packages when using Yarn

Audit & Fix your NPM packages when using Yarn

Yarn is a nice alternative to NPM, with pretty much feature parity and, depending on the version, some speed benefits too, though these days perhaps slightly less so as compared to a few years ago.

While there's pretty much feature parity, there's one area where Yarn is missing one somewhat crucial feature; fixing security issues. Yarn does have yarn audit which behaves the same as npm audit, but as of this writing there is no Yarn equivalent of npm audit fix. I'm sure it'll come sooner or later, but for now we'll have to wait. A "heated" Github issue exists for this, but there has not been a useful update just yet.

For right now though, when you're using Yarn and need to fix some vulnerabilities, you can either do this manually for each vulnerability, or we can temporarily use NPM to run thexe fixes. Here's how you can do the latter choice.

First, we'll use npm to create a temporary package-lock.json file:

npm i --package-lock-only

Using the --package-lock-only flag we don't actually install any packages, as that's what we're using Yarn for after all.

Next, delete your yarn.lock file:

rm yarn.lock

Now let's run audit fix to actually fix all vulnerabilities:

npm audit fix

Depending on what vulnerabilities were found, this step might require manual additional steps too if, for example, a specific package's fix is only available in a backwards compatibility breaking update.

Be sure to follow the steps as described and to test your application/website after running these fixes to ensure things are still working as they should. Not all packages are truly fully backwards compatible, so there's always a chance something needs a small fix or two.

Once you have finished this step, we can now bring things back to Yarn by letting it import the NPM lock file and create a new yarn.lock file:

yarn import

After this, you can now safely delete the package-lock.json file again:

rm package-lock.json

That's it! Commit your changes, and you can go back to using Yarn.

If your project only has one or two vulnerabilities, it might be easier to just manually update those packages, but this is a fairly easy way to fix multiple vulnerabilities, at least until Yarn adds this functionality of course.

I hope this helps.

Thank you.