Skip to content

sargunv/yarn-plugin-npm-audit-fix

BranchesTags

Repository files navigation

yarn npm audit fix

Yarn plugin to fix npm audit issues.

Currently, the plugin searches for all descriptors in your dependency tree matching the module name and vulnerable versions of an audit advisory, and checks if new versions are available from the registry that will both satisfy the patched version range from the advisory AND the descriptor's requested version range. If so, it'll update the resolution to the new version.

I plan to add some additional strategies in the future:

  • Walk up the tree from vulnerable packages to see if upgrading a parent package will resolve the advisory
  • If updating a package that's a direct dependency via a project manifest, update the manifest to declare the new version
  • Add a --force flag that will apply semver-compatible resolutions even if they're not in the descriptor's requested range

Installation

For Yarn v3:

yarn plugin import 'https://raw.githubusercontent.com/sargunv/yarn-plugin-npm-audit-fix/yarn-v3/bundles/%40yarnpkg/plugin-npm-audit-fix.js'

Usage

To attempt to fix all advisories:

yarn npm audit fix --all --recursive --mode=update-lockfile

The command takes all the same flags as yarn npm audit, and also --mode from yarn install.

About

Yarn plugin to fix npm audit issues.

Topics

plugin yarn yarn-berry yarn-plugin

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages