Sometimes I get alerts on GitHub because my project’s npm packages have security issues.
With npm, you can use npm audit fix to update your packages.
What about yarn?
Yarn also has a command for auditing packages:
yarn audit
This command shows a list of vulnerable packages. But there is no yarn audit fix!
What can you do?
If you want to store the results of yarn audit:
yarn audit --json > audit-output.json
Now you can inspect the file.
How to fix the issues?
You can upgrade your packages. But this only helps with the packages that you’ve included in your package.json file. It doesn’t help if you have security issues in packages your installed packages rely on.
What?
It often happens with @babel packages which depend on third-party libraries like lodash. Lodash might have a security issue, but you haven’t installed lodash directly.
Here is an answer I found on Stackoverflow:
The solution to this problem in yarn is called selective version resolutions which is basically defining resolutions for the transitive dependencies in the package.json.
The transitive dependencies are the dependencies of dependencies.
{
"resolutions": { "**/**/lodash": "^4.17.12" }
}
So here even if the lodash isn’t a direct dependency of your package, the dependent package in your package uses the version defined in the resolutions. Specific resolutions can also be provided.
Here is the yarn documentation about selective dependency resolutions.