Blog Details

Fix npm vulnerabilities with yarn

Sometimes we get security alerts on GitHub because our project’s npm packages have security issues. With npm we can use npm audit fix to update our packages. But if you have used yarn, then yarn also has a command for auditing packages: yarn audit This command shows a list of vulnerable packages. But there is no yarn audit --fix ! So, as of now, it appears that there is no yarn audit --fix. So I am trying to figure out how to go about fixing my npm security bugs yarn audit errors. After trying yarn upgrade, it has fixed some of the errors in my npm packages, but there are still several remaining. I have tried a yarn add @latest for the remaining high vulnerabilities, but it upgrades the version in our package.json, when I think the issues is coming from a dependency of a package that I am using. Here is an example of some of my remaining errors:

Here is an answer I found: The solution to this problem in yarn is called selective version resolution which is basically defining resolutions for the transitive dependencies in the package.json. The transitive dependencies are the dependencies of dependencies.

{ "resolutions": { "**/**/lodash": "^4.17.12" } }

p So here even if the lodash isn’t a direct dependency of your package, the dependent package in your package uses the version defined in the resolutions. Specific resolutions can also be provided. You can check the yarn documentation about selective dependency resolutions.