Apply npm audit fix logic to yarn.lock
-
yarn auditdetects vulnerabilities, but cannot fix them. Authors suggest using Depedabot or Snyk for security patches. Well, it is very inconvenient in some situations, to say the least of it. The discussion: yarn/issues/7075.
Fortunately, there's a workaround: stackoverflow/60878037 (thanks to Gianfranco P.).yarn-audit-fixis just a composition of these steps into a single utility. More details: dev.to/yarn-audit-fix-workaround -
yarn auditdoes not support custom (in-house, internal) registries. Here are the issue & PR which have not yet received the green light.
$ yarn add yarn-audit-fix -Dor even better
npx yarn-audit-fix
$ yarn-audit-fix Preparing temp assets... Generating package-lock.json from yarn.lock... Applying npm audit fix... invoke npm audit fix --package-lock-only added 14 packages, removed 195 packages and updated 1245 packages in 4.795s fixed 3 of 26 vulnerabilities in 1370 scanned packages 23 vulnerabilities required manual review and could not be updated Updating yarn.lock from package-lock.json... invoke yarn import info found npm package-lock.json, converting to yarn.lock warning synp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 warning tslint-config-qiwi > tslint-react@5.0.0: tslint-react is deprecated along with TSLint warning @qiwi/libdefkit > @types/read-pkg@5.1.0: This is a stub types definition. read-pkg provides its own type definitions, so you do not need this installed. ... success Saved lockfile. invoke yarn [1/4] 🔍 Resolving packages... success Already up-to-date. Done
--npm-v7 flag is redundant. From v4.0.0 package's own version of npm is used by default. But you're still able to invoke system default with --npm-path=system or define any custom --npm-path=/another/npm/bin.
| Flag | Description | Default |
|---|---|---|
--audit-level |
Include a vulnerability with a level as defined or higher. Supported values: low, moderate, high, critical | low |
--dry-run |
Get an idea of what audit fix will do | |
--force |
Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones | false |
--legacy-peer-deps |
Accept an incorrect (potentially broken) deps resolution | |
--loglevel |
Set custom log level | |
--npm-path |
Declare npm path: switch to system default version of npm instead of package's own. system / local / <custom path> |
local |
--only |
Set package updating scope: dev/prod |
|
--package-lock-only |
Run audit fix without modifying node_modules. Highly recommended to enable. |
true |
--registry |
Custom registry url | |
--silent |
Disable log output | false |
--temp |
Directory for temporary assets | <cwd>/node_modules/.cache/yarn-audit-fix |
--symlink |
Symlink type for node_modules ref |
junction for Windows, dir otherwise |
--verbose |
Switch log level to verbose/debug | false |
All mentioned above CLI directives can be replaced with corresponding env variables with leading YAF prefix. For example:
YAF_FORCEequals--forceYAF_ONLY=prod—--only=prod
In some cases npm audit fix makes node_modules to become inconsistent. This is expected. yarn and npm organize the directory space slightly differently.
npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/node-gyp as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/node-gyp
npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/uuid as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/uuid
npm ERR! code ENOENT
npm ERR! syscall chmod
npm ERR! path /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js
npm ERR! errno -2
npm ERR! enoent ENOENT: no such file or directory, chmod '/Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent
npm ERR! /Users/antongolub/.npm/_logs/2020-08-23T07_09_26_924Z-debug.log
{
status: 254,
signal: null,
output: [ null, null, null ]
Let's try this workaround:
- Restore the original
node_modulesstate.yarn --forceorrm-rf node_modules && yarn. - Apply
npx yarn-audit-fix --package-lock-only. The last param should instruct npm not to modifynode_modulescontents.
After installation the package may not be found. This is probably an issue with $PATH finding node_modules/.bin contents or smth like that (npm/issues/957).
A bit annoying, but it's easy to handle in several ways.
- You're able to run the cmd through yarn:
yarn yarn-audit-fix. - Simply invoke
node_modules/.bin/yarn-audit-fixscript.
The problem only concerns repositories with workspaces (monorepos).
npm audit fix --force throws 1 status code and suggests running npm audit fix --force. This quite ironic behaviour is exactly what npm (arborist) does now.
$$ yarn-audit-fix --force
Preparing temp assets...
Generating package-lock.json from yarn.lock...
Applying npm audit fix...
invoke /home/qwelias/.nvm/versions/node/v12.18.1/lib/node_modules/yarn-audit-fix/node_modules/.bin/npm audit fix --package-lock-only --force --prefix=/home/qwelias/prj/stuff/test-yarn-audit-fix/node_modules/.cache/yarn-audit-fix
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating lodash to 4.17.20,which is outside your stated dependency range.
npm WARN audit Manual fix required in linked project at ./packages/bar for lodash@<=4.17.18.
npm WARN audit 'cd ./packages/bar' and run 'npm audit' for details.
npm WARN audit Manual fix required in linked project at ./packages/foo for lodash@<=4.17.18.
npm WARN audit 'cd ./packages/foo' and run 'npm audit' for details.
up to date, audited 7 packages in 2s
# npm audit report
lodash <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/782
Prototype Pollution - https://npmjs.com/advisories/1065
fix available via `npm audit fix --force`
Will install lodash@4.17.20, which is outside the stated dependency range
packages/bar/node_modules/lodash
packages/foo/node_modules/lodash
1 high severity vulnerability
To address all issues, run:
npm audit fix --force
{
status: 1,
signal: null,
output: [ null, null, null ],
pid: 176019,
stdout: null,
stderr: null
}
So you need, as the message says, to manually change the dependency versions. npm@7 is still in beta, perhaps this logic will be changed later.
In some cases npm@6 works better, so if you have such a version installed on your system, you may try:
npx yarn-audit-fix --npm-path=systemYou may also try to cast the optimistic flags combo
npx yarn-audit-fix --package-lock-only=false --force --legacy-peer-depsUnfortunately, even this invocation may return something like:
# npm audit report
hosted-git-info <3.0.8
Severity: moderate
Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
No fix available
node_modules/normalize-package-data/node_modules/hosted-git-info
normalize-package-data 2.0.0 - 2.5.0
Depends on vulnerable versions of hosted-git-info
node_modules/normalize-package-data
meow 3.4.0 - 9.0.0
Depends on vulnerable versions of normalize-package-data
Depends on vulnerable versions of read-pkg-upNo fix available just means that no fix available. If you still doubt the correctness of the output, you can check it.
npm i --package-lock-only
npm audit fix --package-lock-only --forceNot everything can be fixed, alack.