Our implementation has a couple of differences with the npm one. Like most other Yarn commands,
yarn npm audit, by default, only applies on the direct dependencies from the current workspace. To get a report on the whole project, use the
You can exclude your
devDependencies (and their transitive dependencies) from the report by running the command with
The hardened mode can be set (or disabled) using either the
enableHardenedMode setting or by defining
YARN_ENABLE_HARDENED_MODE=1|0 in your environment variables, but in most cases you won't even have to think about it - the hardened mode is enabled by default when Yarn detects it runs in a pull request from a public GitHub repository.
Under this mode, Yarn will automatically enable the
--refresh-lockfile flags when running
yarn install, which should protect you against most attacks caused by lockfile poisoning, at the cost of a little bit of install speed.
The hardened mode makes installs significantly slower as Yarn has to query the registry to make sure the information contained in the lockfile are accurate. If your CI pipeline runs multiple jobs, we recommend disabling the hardened mode in all but one of them so as to limit the performance impact.