Gathering detailed insights and metrics for yarn-audit-fix
Gathering detailed insights and metrics for yarn-audit-fix
Gathering detailed insights and metrics for yarn-audit-fix
Gathering detailed insights and metrics for yarn-audit-fix
npm-audit-resolver
Aids humans and automation in managing npm audit results
improved-yarn-audit
A wrapper around yarn audit that fixes many issues
lerna-audit
Micro util to run npm audit for lerna packages (with autofix)
audit-ci
Audits NPM, Yarn, and PNPM projects in CI environments
npm install yarn-audit-fix
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
181 Stars
703 Commits
9 Forks
4 Watching
5 Branches
10 Contributors
Updated on 27 Nov 2024
TypeScript (93.32%)
JavaScript (6.68%)
Cumulative downloads
Total Downloads
Last day
-8.5%
16,085
Compared to previous day
Last week
1%
85,767
Compared to previous week
Last month
7%
380,739
Compared to previous month
Last year
-5.6%
4,062,957
Compared to previous year
13
The missing yarn audit fix
yarn audit
detects vulnerabilities, but cannot fix them.
Authors suggest using Dependabot or Snyk for security patches. Well, it is very inconvenient in some situations, to say the least of it.
The discussion: yarn/issues/7075.yarn audit
does not support custom (in-house, internal) registries. Here are the issue & PR which have not yet received the green light.Fortunately, there are several workarounds:
npm audit fix
with lockfile converter (thanks to Gianfranco P., stackoverflow/60878037).
yarn-audit-fix --flow=convert
just reproduces these steps with minimal changes. More details: dev.to/yarn-audit-fix-workaroundyarn/npm audit --json
advisories and patch lockfile inners (kudos to G. Kosev, code reference). yarn-audit-fix --flow=patch
. Full description: dev.to/yarn-audit-fix-for-yarn-2-berryNode.js: >=16.0.0
1$ yarn add yarn-audit-fix -D
or even better
npm_config_yes=true npx yarn-audit-fix
$ yarn-audit-fix [--opts] Preparing temp assets... Generating package-lock.json from yarn.lock... Applying npm audit fix... invoke npm audit fix --package-lock-only added 14 packages, removed 195 packages and updated 1245 packages in 4.795s fixed 3 of 26 vulnerabilities in 1370 scanned packages 23 vulnerabilities required manual review and could not be updated Updating yarn.lock from package-lock.json... invoke yarn import info found npm package-lock.json, converting to yarn.lock warning synp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 warning tslint-config-qiwi > tslint-react@5.0.0: tslint-react is deprecated along with TSLint warning @qiwi/libdefkit > @types/read-pkg@5.1.0: This is a stub types definition. read-pkg provides its own type definitions, so you do not need this installed. ... success Saved lockfile. invoke yarn [1/4] 🔍 Resolving packages... success Already up-to-date. Done
Option | Description | Default | with --flow=convert only |
---|---|---|---|
--flow | Define how yarn.lock is modified. convert — to compose npm audit fix with two-way lockfile conversion (legacy flow). patch — to directly inject audit json data | patch | |
--audit-level | Include a vulnerability with a level as defined or higher. Supported values: low, moderate, high, critical | low | |
--cwd | Current working dir | process.cwd() | |
--dry-run | Get an idea of what audit fix will do | ||
--force | Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones | false | |
--help/-h | Print help message | ||
--legacy-peer-deps | Accept an incorrect (potentially broken) deps resolution | ✔ | |
--loglevel | Set custom log level | ✔ | |
--npm-path | Switch to project's local npm version instead of system default. Or provide a custom path. system / local / <custom path> | system | |
--only | Set package update scope: dev /prod | ||
--package-lock-only | Run audit fix without modifying node_modules . Highly recommended to enable. | true | ✔ |
--registry | Custom registry url | ✔ | |
--silent | Disable log output | false | |
--symlink | Symlink type for node_modules ref | junction for Windows, dir otherwise | |
--temp | Directory for temporary assets | <cwd>/node_modules/.cache/yarn-audit-fix | |
--verbose | Switch log level to verbose/debug | false | |
--exclude | Array of glob patterns of packages to exclude from audit | ||
--ignore | Array of glob patterns of advisory IDs to ignore in the audit report |
All mentioned above CLI options can be replaced with the corresponding env variables with leading YAF prefix. For example:
YAF_FORCE
equals --force
YAF_ONLY=prod
— --only=prod
yarn-audit-fix is a naive and optimistic workaround, so it exposes all of its inners to give anybody a chance to tweak up and find a better steps combination. Typedoc: https://antongolub.github.io/yarn-audit-fix/modules/
1import { run, runSync } from 'yarn-audit-fix' 2 3// NOTE actually it's promisified `run.sync` 4await run({ 5 flow: 'patch', 6 verbose: true 7}) 8 9// `runSync` is an alias for `run.sync` 10await runSync({ 11 flow: 'patch', 12 verbose: true 13})
Build and run custom flows.
1import { 2 clear, 3 exit, 4 patchLockfile, 5 yarnInstall 6} from 'yarn-audit-fix' 7 8export const flow: TFlow = { 9 main: [ 10 [ 11 'Patching yarn.lock with audit data...', 12 patchLockfile, 13 (...args) => {console.log('Smth interesting:', ...args)}, 14 yarnInstall, 15 ], 16 ['Done'], 17 ], 18 fallback: [['Failure!', exit]], 19} 20 21await run({}, flow)
v10 bumps the pkg deps and requires NodeJS v14.
v9 brings experimental Yarn 2+ lockfiles support, so the previous behaviour (when yaf
parsing failure may be used to detect them) has been changed.
From v8 the library does not contain npm dependency, so the system default is used instead. If necessary you can:
npm_config_yes=true YAF_NPM_PATH=local npx -p yarn-audit-fix -p npm@8 -c yarn-audit-fix
Following the deps, converted to ESM. So legacy require
API has been dropped since v7.0.0. Use the shiny new import
instead or try your luck with esm-hook. CLI works as before.
1// const {run} = require('yarn-audit-fix') turns into 2import {run} from 'yarn-audit-fix'
Default fix strategy has been changed to direct lockfile patching with yarn audit --json
data. To use the previous legacy flow, pass --flow=convert
option to CLI.
--npm-v7
flag is redundant. From v4.0.0 package's own version of npm is used by default. But you're still able to invoke system default with --npm-path=system
or define any custom --npm-path=/another/npm/bin
.
If you have installed yaf between 7...11 of Jan 2022 and ran it with --flow=convert
option, you might see an endless garbage loop in stdout.
The problem was caused by the transitive dep: yarn-audit-fix → synp → colors@^1.4.0
. Reasons and details: issues/218, snykvuln/2331906.
How to fix? There are 3 ways:
>=9.0.5
colors
version in your lockfile to 1.4.0
colors
from the registry, 2022-01-11.npm_config_yes=true npx yarn-audit-fix --audit-level=moderate
Runtime digest
yarn-audit-fix version 4.3.6 is out of date. Install the latest 6.0.0 for better results
npx caches previously loaded packages, so you need one of:
npm yarn-audit-fix@6.0.0
rm -rf ~/.npm/_npx
After installation, the package may not be found. This is probably an issue with $PATH finding node_modules/.bin
contents or smth like that (npm/issues/957).
A bit annoying, but it's easy to handle in several ways.
yarn yarn-audit-fix
.node_modules/.bin/yarn-audit-fix
script.In some cases npm audit fix makes node_modules
to become inconsistent. This is expected. yarn and npm organize the directory space slightly differently.
npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/node-gyp as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/node-gyp
npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/uuid as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/uuid
npm ERR! code ENOENT
npm ERR! syscall chmod
npm ERR! path /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js
npm ERR! errno -2
npm ERR! enoent ENOENT: no such file or directory, chmod '/Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent
npm ERR! /Users/antongolub/.npm/_logs/2020-08-23T07_09_26_924Z-debug.log
{
status: 254,
signal: null,
output: [ null, null, null ]
Let's try this workaround:
node_modules
state. yarn --force
or rm-rf node_modules && yarn
.npx yarn-audit-fix --package-lock-only
. The last param should instruct npm not to modify node_modules
contents.The problem only concerns repositories with workspaces
(monorepos).
npm audit fix --force
throws 1 status code and suggests running npm audit fix --force
. This quite ironic behaviour is exactly what npm (arborist) does now.
$$ yarn-audit-fix --force
Preparing temp assets...
Generating package-lock.json from yarn.lock...
Applying npm audit fix...
invoke /home/qwelias/.nvm/versions/node/v12.18.1/lib/node_modules/yarn-audit-fix/node_modules/.bin/npm audit fix --package-lock-only --force --prefix=/home/qwelias/prj/stuff/test-yarn-audit-fix/node_modules/.cache/yarn-audit-fix
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating lodash to 4.17.20,which is outside your stated dependency range.
npm WARN audit Manual fix required in linked project at ./packages/bar for lodash@<=4.17.18.
npm WARN audit 'cd ./packages/bar' and run 'npm audit' for details.
npm WARN audit Manual fix required in linked project at ./packages/foo for lodash@<=4.17.18.
npm WARN audit 'cd ./packages/foo' and run 'npm audit' for details.
up to date, audited 7 packages in 2s
# npm audit report
lodash <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/782
Prototype Pollution - https://npmjs.com/advisories/1065
fix available via `npm audit fix --force`
Will install lodash@4.17.20, which is outside the stated dependency range
packages/bar/node_modules/lodash
packages/foo/node_modules/lodash
1 high severity vulnerability
To address all issues, run:
npm audit fix --force
{
status: 1,
signal: null,
output: [ null, null, null ],
pid: 176019,
stdout: null,
stderr: null
}
So you need, as the message says, to manually change the dependency versions. npm@7 is still in beta, perhaps this logic will be changed later.
In some cases npm@6 works better, so if you have such a version installed on your system, you may try:
1npx yarn-audit-fix --npm-path=system --flow=convert
You may also try to cast the optimistic flags combo
1npx yarn-audit-fix --package-lock-only=false --force --legacy-peer-deps --flow=convert
Unfortunately, even this invocation may return something like:
1# npm audit report 2 3hosted-git-info <3.0.8 4Severity: moderate 5Regular Expression Deinal of Service - https://npmjs.com/advisories/1677 6No fix available 7node_modules/normalize-package-data/node_modules/hosted-git-info 8 normalize-package-data 2.0.0 - 2.5.0 9 Depends on vulnerable versions of hosted-git-info 10 node_modules/normalize-package-data 11 meow 3.4.0 - 9.0.0 12 Depends on vulnerable versions of normalize-package-data 13 Depends on vulnerable versions of read-pkg-up
No fix available just means that no fix available. If you still doubt the correctness of the output, you can check it by hand.
1npm i --package-lock-only 2npm audit fix --package-lock-only --force
Same response for alternative patching flow:
1npm_config_yes=true npx yarn-audit-fix --audit-level=moderate --flow=patch
1Patching yarn.lock with audit data... 2invoke yarn audit --json --level moderate 3Can't find patched version that satisfies postcss@^7.0.0 in >=8.2.10 4Can't find patched version that satisfies postcss@^7.0.1 in >=8.2.10 5Can't find patched version that satisfies postcss@^7.0.27 in >=8.2.10 6Can't find patched version that satisfies ws@^7.2.3 in >=6.2.2 <7.0.0 || >=7.4.6 7Upgraded deps: <none> 8invoke yarn --update-checksums
Not everything can be repaired, alack.
yarn-audit-fix is compatible with any NodeJS version which supports ESM, but the nested packages can define their own engine requirements.
1pkg-dir@7.0.0: The engine "node" is incompatible with this module. Expected version ">=14.16". Got "14.15.1"
The recommended way is to update the runtime version. As a temporary workaround, you can simply pass --ignore-engines
flag.
1yarn add yarn-audit-fix -D --ignore-engines
In some cases yarn npm audit fails because the yarn.lock
file contains a transitive dependency in unreadable format:
'example-dependency': 'npm:example-dependency@1.0.0'
This will results in:
1invoke yarn npm audit --all --json --recursive 2➤ YN0035: Bad Request 3➤ YN0035: Response Code: 400 (Bad Request) 4➤ YN0035: Request Method: POST 5➤ YN0035: Request URL: https://registry.yarnpkg.com/-/npm/v1/security/audits/quick
https://github.com/yarnpkg/berry/issues/4117
A workaround is available using the exclude
option:
npx yarn-audit-fix --exclude example-dependency
. This will cause yarn to ignore example-dependency
while creating the audit report.Feel free to open any issues: bugs, feature requests or other questions. You're always welcome to suggest a PR. Just fork this repo, write some code, add some tests and push your changes. Any feedback is appreciated.
No vulnerabilities found.
Reason
22 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
Reason
license file detected
Details
Reason
SAST tool is run on all commits
Details
Reason
Found 3/19 approved changesets -- score normalized to 1
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
104 existing vulnerabilities detected
Details
Score
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More