I'm looking for a way to audit dependencies for vulnerabilities in Yarn 2. In Yarn 1.x it was possible the same was as in npm, by running yarn audit instead of npm audit. But with Yarn 2 there is no such command. And according to this issue on the berry github, it won't be implemented (project maintainers prefer it was done via plugin).
I have tried running npm install --package-lock-only && npm audit but the install chokes on some of my local packages (which I am listing in package.json using the link: url type).
It wouldn't be a complex plugin to build and I'm up for some fun doing so, but it would not be so muchfun as just installing something and then going about my day. I have looked around but always end up at the same couple of vapourware / abandonware repos.
But I still guess that I'm just not finding them. Or there's an undocumented trick for making it easy. Hence my question :)
PS, yeah I can delete the local packages using link: temporarily while I run the npm install and npm audit commands above, but it's not exactly the kind of thing I want to try and automate for CI.
from Best way to audit dependencies in Yarn 2 (berry)?
No comments:
Post a Comment