yarn npm audit
Perform a vulnerability audit against the installed packages.
$> yarn npm audit [-A,--all] [-R,--recursive] [--environment #0] [--json] [--severity #0]
Checks for known security issues with the installed packages. The output is a list of known issues. :
yarn npm audit
Audit dependencies in all workspaces :
yarn npm audit --all
Limit auditing to
yarn npm audit --environment production
Show audit report as valid JSON :
yarn npm audit --json
Audit all direct and transitive dependencies :
yarn npm audit --recursive
Output moderate (or more severe) vulnerabilities :
yarn npm audit --severity moderate
This command checks for known security reports on the packages you use. The reports are by default extracted from the npm registry, and may or may not be relevant to your actual program (not all vulnerabilities affect all code paths).
For consistency with our other commands the default is to only check the direct
dependencies for the active workspace. To extend this search to all workspaces,
-A,--all. To extend this search to both direct and transitive
--severity flag will limit the audit table to vulnerabilities of
the corresponding severity and above. Valid values are
--json flag is set, Yarn will print the output exactly as received from
the registry. Regardless of this flag, the process will exit with a non-zero
exit code if a report is found for the selected packages.
To understand the dependency tree requiring vulnerable packages, check the raw
report with the
--json flag or use
yarn why <package> to get more
information as to who depends on them.