TypeScript icon, indicating that this package has built-in type declarations

    7.0.4 • Public • Published

    Yarn audit fix


    Build Status deps Maintainability Test Coverage Sonar npm (tag)

    Apply npm audit fix logic to yarn.lock

    Table of Contents



    1. yarn audit detects vulnerabilities, but cannot fix them. Authors suggest using Depedabot or Snyk for security patches. Well, it is very inconvenient in some situations, to say the least of it. The discussion: yarn/issues/7075.
    2. yarn audit does not support custom (in-house, internal) registries. Here are the issue & PR which have not yet received the green light.


    Fortunately, there are several workarounds:

    1. Compose npm audit fix with lockfile converter (thanks to Gianfranco P., stackoverflow/60878037). yarn-audit-fix --flow=convert just reproduces these steps with minimal changes. More details: dev.to/yarn-audit-fix-workaround
    2. Fetch yarn/npm audit --json and patch lockfile inners (kudos to G. Kosev, code reference). yarn-audit-fix --flow=patch

    Key features

    • A couple of strategies to fix security issues
    • Mac / Linux / Windows support
    • CLI / JS API
    • TS and flow typings

    Getting started


    Node.js: ^12.20.0 || ^14.13.1 || >=16.0.0


    $ yarn add yarn-audit-fix -D

    or even better

    npm_config_yes=true npx yarn-audit-fix


    $ yarn-audit-fix [--opts]
    Preparing temp assets...
    Generating package-lock.json from yarn.lock...
    Applying npm audit fix...
    invoke npm audit fix --package-lock-only
    added 14 packages, removed 195 packages and updated 1245 packages in 4.795s
    fixed 3 of 26 vulnerabilities in 1370 scanned packages
      23 vulnerabilities required manual review and could not be updated
    Updating yarn.lock from package-lock.json...
    invoke yarn import
    info found npm package-lock.json, converting to yarn.lock
    warning synp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
    warning tslint-config-qiwi > tslint-react@5.0.0: tslint-react is deprecated along with TSLint
    warning @qiwi/libdefkit > @types/read-pkg@5.1.0: This is a stub types definition. read-pkg provides its own type definitions, so you do not need this installed.
    success Saved lockfile.
    invoke yarn
    [1/4] 🔍  Resolving packages...
    success Already up-to-date.
    Option Description Default with --flow=convert only
    --flow Define how yarn.lock is modified. convert — to compose npm audit fix with two-way lockfile conversion (legacy flow). patch — to directly inject audit json data patch
    --audit-level Include a vulnerability with a level as defined or higher. Supported values: low, moderate, high, critical low
    --dry-run Get an idea of what audit fix will do
    --force Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones false
    --help/-h Print help message
    --legacy-peer-deps Accept an incorrect (potentially broken) deps resolution
    --loglevel Set custom log level
    --npm-path Declare npm path: switch to system default version of npm instead of package's own. system / local / <custom path> local
    --only Set package update scope: dev/prod
    --package-lock-only Run audit fix without modifying node_modules. Highly recommended to enable. true
    --registry Custom registry url
    --silent Disable log output false
    --symlink Symlink type for node_modules ref junction for Windows, dir otherwise
    --temp Directory for temporary assets <cwd>/node_modules/.cache/yarn-audit-fix
    --verbose Switch log level to verbose/debug false


    All mentioned above CLI options can be replaced with the corresponding env variables with leading YAF prefix. For example:

    • YAF_FORCE equals --force
    • YAF_ONLY=prod--only=prod

    JS API

    yarn-audit-fix is a naive and optimistic workaround, so it exposes all of its inners to give anybody a chance to tweak up and find a better steps combination. Typedoc: https://antongolub.github.io/yarn-audit-fix/modules/

    import { run } from 'yarn-audit-fix'
    // NOTE actually it's promisified run.sync
    await run({
       flow: 'patch',
       verbose: true

    Build and run custom flows.

    import {
    } from 'yarn-audit-fix'
    export const flow: TFlow = {
      main: [
          'Patching yarn.lock with audit data...',
          (...args) => {console.log('Smth interesting:', ...args)},
      fallback: [['Failure!', exit]],
    await run({}, flow)

    Migration notes


    Following the deps, converted to ESM. So legacy require API is not supported now. Use new shiny import instead or try your luck with esm-hook. CLI works as before.

    // const {run} = require('yarn-audit-fix') turns into
    import {run} from 'yarn-audit-fix'


    Default fix strategy has been changed to direct lockfile patching with yarn audit --json data. To use the previous legacy flow, pass --flow=convert option to CLI.


    --npm-v7 flag is redundant. From v4.0.0 package's own version of npm is used by default. But you're still able to invoke system default with --npm-path=system or define any custom --npm-path=/another/npm/bin.


    yarn-audit-fix version x.x.x is out of date

    npm_config_yes=true npx yarn-audit-fix --audit-level=moderate
    Runtime digest
    yarn-audit-fix version 4.3.6 is out of date. Install the latest 6.0.0 for better results

    npx caches previously loaded packages, so you need one of:

    1. Define version to load: npm yarn-audit-fix@6.0.0
    2. Reset npx cache. For Mac/Linux: rm -rf ~/.npm/_npx

    yarn-audit-fix command not found

    After installation, the package may not be found. This is probably an issue with $PATH finding node_modules/.bin contents or smth like that (npm/issues/957). A bit annoying, but it's easy to handle in several ways.

    • You're able to run the cmd through yarn: yarn yarn-audit-fix.
    • Simply invoke node_modules/.bin/yarn-audit-fix script.

    enoent: no such file or directory

    In some cases npm audit fix makes node_modules to become inconsistent. This is expected. yarn and npm organize the directory space slightly differently.

    npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/node-gyp as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/node-gyp
    npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/uuid as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/uuid
    npm ERR! code ENOENT
    npm ERR! syscall chmod
    npm ERR! path /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js
    npm ERR! errno -2
    npm ERR! enoent ENOENT: no such file or directory, chmod '/Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js'
    npm ERR! enoent This is related to npm not being able to find a file.
    npm ERR! enoent 
    npm ERR!     /Users/antongolub/.npm/_logs/2020-08-23T07_09_26_924Z-debug.log
      status: 254,
      signal: null,
      output: [ null, null, null ]

    Let's try this workaround:

    1. Restore the original node_modules state. yarn --force or rm-rf node_modules && yarn.
    2. Apply npx yarn-audit-fix --package-lock-only. The last param should instruct npm not to modify node_modules contents.

    --force did not force the update

    The problem only concerns repositories with workspaces (monorepos). npm audit fix --force throws 1 status code and suggests running npm audit fix --force. This quite ironic behaviour is exactly what npm (arborist) does now.

    $$ yarn-audit-fix --force          
     Preparing temp assets...
     Generating package-lock.json from yarn.lock...
     Applying npm audit fix...
     invoke /home/qwelias/.nvm/versions/node/v12.18.1/lib/node_modules/yarn-audit-fix/node_modules/.bin/npm audit fix --package-lock-only --force --prefix=/home/qwelias/prj/stuff/test-yarn-audit-fix/node_modules/.cache/yarn-audit-fix
     npm WARN using --force Recommended protections disabled.
     npm WARN audit Updating lodash to 4.17.20,which is outside your stated dependency range.
     npm WARN audit Manual fix required in linked project at ./packages/bar for lodash@<=4.17.18.
     npm WARN audit 'cd ./packages/bar' and run 'npm audit' for details.
     npm WARN audit Manual fix required in linked project at ./packages/foo for lodash@<=4.17.18.
     npm WARN audit 'cd ./packages/foo' and run 'npm audit' for details.
     up to date, audited 7 packages in 2s
     # npm audit report
     lodash  <=4.17.18
     Severity: high
     Prototype Pollution - https://npmjs.com/advisories/782
     Prototype Pollution - https://npmjs.com/advisories/1065
     fix available via `npm audit fix --force`
     Will install lodash@4.17.20, which is outside the stated dependency range
     1 high severity vulnerability
     To address all issues, run:
       npm audit fix --force
       status: 1,
       signal: null,
       output: [ null, null, null ],
       pid: 176019,
       stdout: null,
       stderr: null

    So you need, as the message says, to manually change the dependency versions. npm@7 is still in beta, perhaps this logic will be changed later. In some cases npm@6 works better, so if you have such a version installed on your system, you may try:

    npx yarn-audit-fix --npm-path=system --flow=convert

    You may also try to cast the optimistic flags combo

    npx yarn-audit-fix --package-lock-only=false --force --legacy-peer-deps --flow=convert

    Unfortunately, even this invocation may return something like:

    # npm audit report
    hosted-git-info  <3.0.8
    Severity: moderate
    Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
    No fix available
      normalize-package-data  2.0.0 - 2.5.0
      Depends on vulnerable versions of hosted-git-info
        meow  3.4.0 - 9.0.0
        Depends on vulnerable versions of normalize-package-data
        Depends on vulnerable versions of read-pkg-up

    No fix available just means that no fix available. If you still doubt the correctness of the output, you can check it by hand.

    npm i --package-lock-only
    npm audit fix --package-lock-only --force

    Same response for alternative patching flow:

    npm_config_yes=true npx yarn-audit-fix --audit-level=moderate --flow=patch
    Patching yarn.lock with audit data...
    invoke yarn audit --json --level moderate
    Can't find patched version that satisfies postcss@^7.0.0 in >=8.2.10
    Can't find patched version that satisfies postcss@^7.0.1 in >=8.2.10
    Can't find patched version that satisfies postcss@^7.0.27 in >=8.2.10
    Can't find patched version that satisfies ws@^7.2.3 in >=6.2.2 <7.0.0 || >=7.4.6
    Upgraded deps: <none>
    invoke yarn --update-checksums

    Not everything can be repaired, alack.


    Feel free to open any issues: for bugs, feature requests or questions. You're always welcome to suggest a PR. Just fork this repo, write some code, add some tests and push your changes. Any feedback is appreciated.




    npm i yarn-audit-fix

    DownloadsWeekly Downloads






    Unpacked Size

    140 kB

    Total Files


    Last publish


    • antongolub