mxro
commented
2 years ago Would this package cover this requirement: yarn-audit-fix?
Open jdanil opened 3 years ago
mxro
commented
2 years ago Would this package cover this requirement: yarn-audit-fix?
sargunv
commented
1 year ago I've recently written a plugin for this: https://github.com/sargunv/yarn-plugin-npm-audit-fix.
If maintainers are interesting in getting this implementation into Yarn itself, I'd be happy to start a PR.
Describe the user story
As a developer, when
yarn npm auditreports vulnerabilities, I would like to be able to remediate them if compatible patched versions exist.Currently, to resolve vulnerabilities I either need to...
yarn install, remove the resolution, runyarn installagain,yarn up --recursiveon each vulnerable package.Describe the solution you'd like
I would like to propose adding a
--fixoption toyarn npm audit. Now thatyarn upsupports a--recursiveoption (introduced in #2427) I think it should be fairly easy to iterate over the advisories and runyarn up <name> --recursivefor each advisory, to attempt to update any dependencies that were reported as vulnerable to their latest compatible versions.Describe the drawbacks of your solution
What I'm not 100% sure about yet is how we would update the audit results. After running
yarn up --recursive, would we then try to find the installed versions of the dependency and then use a semver util to see if it matches a patched version, and if it does, remove the advisory from the results? The results from the audit endpoint may need to be coerced a bit to perform this comparison as they aren't always valid semver ranges (e.g.>1.0.0 <2.0.0).Another alternative I considered is to simply trigger a new request for an audit report and let the server figure out what vulnerabilities remain.
Describe alternatives you've considered
I think this could be delivered by a plugin, as
yarn npm audit --jsonprovides the full report from the server. But I think with the new changes toyarn upit could be supported with very minimal code changes to yarn.