Yarn doesn’t have npm audit fix.
But here’s how to do it by using npm – temporarily.
- Generate a
package-lock.jsonfile without installing node modules
npm i --package-lock-only
- Fix the packages and update the
package-lock.jsonfile
npm audit fix
- Delete the
yarn.lockfile and convertpackage-lock.jsonfile intoyarn.lock
rm yarn.lock
yarn import
- Delete the
package-lock.jsonfile
rm package-lock.json
For example:
yarn audit
38363 vulnerabilities found - Packages audited: 908342
Severity: 38352 Low | 11 Moderate
(I know. react-scripts is crazy…)
npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm i --package-lock-only
...
added 266 packages, removed 354 packages, updated 1653 packages, moved 1 package and audited 913793 packages in 54.304s
found 495 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix
...
added 267 packages from 152 contributors, removed 355 packages and updated 1712 packages in 92.849s
50 packages are looking for funding
run `npm fund` for details
fixed 211 of 495 vulnerabilities in 913793 scanned packages
284 vulnerabilities required manual review and could not be updated
git status -s
?? package-lock.json
yarn import
yarn import v1.21.1
info found npm package-lock.json, converting to yarn.lock
...
success Saved lockfile.
✨ Done in 25.61s
rm package-lock.json