You might previously use commands like npm audit or yarn audit to perform a vulnerability audit against the installed packages. In case any vulnerable dependencies found to update it you could use built-in npm audit fix command. It would automatically install any compatible updates to vulnerable dependencies. Surprisingly, there is no yarn alternative to fix it in the way npm does, yet there are several workarounds which you can do.
Use yarn-audit-fix package
The very straight forward option is to use yarn-audit-fix package.
- Installation
yarn add yarn-audit-fix -DAlternatively, you can use npx.
npx yarn-audit-fix- Usage
yarn-audit-fixUse npm audit fix as a temporary option
This is my preferable approach to fix vulnerable dependencies.
- Generate the
package-lock.jsonfile without installing node modules
npm install --package-lock-only- Fix the packages and update the
package-lock.jsonfile
npm audit fix- Remove the
yarn.lockfile and import thepackage-lock.jsonfile intoyarn.lock
rm yarn.lock
yarn import- Remove the
package-lock.jsonfile
rm package-lock.json