Skip to content

sargunv/yarn-plugin-npm-audit-fix

Repository files navigation

yarn npm audit fix

Yarn plugin to fix npm audit issues.

Currently, the plugin searches for all descriptors in your dependency tree matching the module name and vulnerable versions of an audit advisory, and checks if new versions are available from the registry that will both satisfy the patched version range from the advisory AND the descriptor's requested version range. If so, it'll update the resolution to the new version.

I plan to add some additional strategies in the future:

  • Walk up the tree from vulnerable packages to see if upgrading a parent package will resolve the advisory
  • If updating a package that's a direct dependency via a project manifest, update the manifest to declare the new version
  • Add a --force flag that will apply semver-compatible resolutions even if they're not in the descriptor's requested range

Installation

For Yarn v3:

yarn plugin import 'https://raw.githubusercontent.com/sargunv/yarn-plugin-npm-audit-fix/yarn-v3/bundles/%40yarnpkg/plugin-npm-audit-fix.js'

Usage

To attempt to fix all advisories:

yarn npm audit fix --all --recursive --mode=update-lockfile

The command takes all the same flags as yarn npm audit, and also --mode from yarn install.

About

Yarn plugin to fix npm audit issues.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published