Important: This documentation covers Yarn 2.
For 1.x docs, see
yarn addyarn binyarn cache cleanyarn config getyarn config setyarn config unsetyarn configyarn constraints queryyarn constraints sourceyarn constraintsyarn dedupeyarn dlxyarn execyarn explain peer-requirementsyarn infoyarn inityarn installyarn linkyarn nodeyarn npm audityarn npm infoyarn npm loginyarn npm logoutyarn npm publishyarn npm tag addyarn npm tag listyarn npm tag removeyarn npm whoamiyarn packyarn patch-commityarn patchyarn plugin import from sourcesyarn plugin importyarn plugin listyarn plugin removeyarn plugin runtimeyarn rebuildyarn removeyarn runyarn searchyarn set resolutionyarn set version from sourcesyarn set versionyarn stageyarn unlinkyarn unplugyarn upyarn upgrade-interactiveyarn version applyyarn version checkyarn versionyarn whyyarn workspaceyarn workspaces focusyarn workspaces foreachyarn workspaces list

yarn npm audit

Perform a vulnerability audit against the installed packages.


$> yarn npm audit


Checks for known security issues with the installed packages. The output is a list of known issues. :

yarn npm audit

Audit dependencies in all workspaces :

yarn npm audit --all

Limit auditing to dependencies (excludes devDependencies) :

yarn npm audit --environment production

Show audit report as valid JSON :

yarn npm audit --json

Audit all direct and transitive dependencies :

yarn npm audit --recursive

Output moderate (or more severe) vulnerabilities :

yarn npm audit --severity moderate




Audit dependencies from all workspaces


Audit transitive dependencies as well

--environment #0

Which environments to cover


Format the output as an NDJSON stream

--severity #0

Minimal severity requested for packages to be displayed


This command checks for known security reports on the packages you use. The reports are by default extracted from the npm registry, and may or may not be relevant to your actual program (not all vulnerabilities affect all code paths).

For consistency with our other commands the default is to only check the direct dependencies for the active workspace. To extend this search to all workspaces, use -A,--all. To extend this search to both direct and transitive dependencies, use -R,--recursive.

Applying the --severity flag will limit the audit table to vulnerabilities of the corresponding severity and above. Valid values are info, low, moderate, high, critical.

If the --json flag is set, Yarn will print the output exactly as received from the registry. Regardless of this flag, the process will exit with a non-zero exit code if a report is found for the selected packages.

To understand the dependency tree requiring vulnerable packages, check the raw report with the --json flag or use yarn why <package> to get more information as to who depends on them.