You might previously use commands like npm audit or yarn audit to perform a vulnerability audit against the installed packages. In case any vulnerable dependencies found to update it you could use built-in npm audit fix command. It would automatically install any compatible updates to vulnerable dependencies. Surprisingly, there is no yarn alternative to fix it in the way npm does, yet there are several workarounds which you can do.

Use yarn-audit-fix package

The very straight forward option is to use yarn-audit-fix package.

1. Installation

Copycopy code to clipboard
1yarn add yarn-audit-fix -D

Alternatively, you can use npx.

Copycopy code to clipboard
1npx yarn-audit-fix

2. Usage

Copycopy code to clipboard
1yarn-audit-fix

Use npm audit fix as a temporary option

This is my preferable approach to fix vulnerable dependencies.

1. Generate the package-lock.json file without installing node modules

Copycopy code to clipboard
1npm install --package-lock-only

2. Fix the packages and update the package-lock.json file

Copycopy code to clipboard
1npm audit fix

3. Remove the yarn.lock file and import the package-lock.json file into yarn.lock

Copycopy code to clipboard
1rm yarn.lock
2
3yarn import

4. Remove the package-lock.json file

Copycopy code to clipboard
1rm package-lock.json