Skip to main content

Security

Audits

Yarn doesn't run audits by default when running yarn install, as this should rather be performed in a cron task. You can however perform audits whenever you want by running yarn npm audit.

Our implementation has a couple of differences with the npm one. Like most other Yarn commands, yarn npm audit, by default, only applies on the direct dependencies from the current workspace. To get a report on the whole project, use the -A,--all and/or -R,--recursive flags.

You can exclude your devDependencies (and their transitive dependencies) from the report by running the command with --environment production.

Hardened mode

The hardened mode can be set (or disabled) using either the enableHardenedMode setting or by defining YARN_ENABLE_HARDENED_MODE=1|0 in your environment variables, but in most cases you won't even have to think about it - the hardened mode is enabled by default when Yarn detects it runs in a pull request from a public GitHub repository.

Under this mode, Yarn will automatically enable the --check-resolutions and --refresh-lockfile flags when running yarn install, which should protect you against most attacks caused by lockfile poisoning, at the cost of a little bit of install speed.

The hardened mode makes installs significantly slower as Yarn has to query the registry to make sure the information contained in the lockfile are accurate. If your CI pipeline runs multiple jobs, we recommend disabling the hardened mode in all but one of them so as to limit the performance impact.