There is no
yarn audit fix, which is good, because npm audit fix is not always reliable, there are situation when the issue can’t be fixed this easily and npm audit fix cannot handle the situation. How to solve the audit then?1) Keep dependencies up to date
Most of the times, the problem is the dependencies are not updated regularly; so the first thing todo is
If you want to pick versions of packages to install, try
I know it is scary, it might break things, but in 99,99% of situations (when OSS authors follow SEMVER correctly) it won’t break anything. It may not solve all the audit issues, though.
2) Resolve versions by-hand
With yarn resolutions, you can fix vulnerabilities introduced in packages that you don’t install directly and that can’t be solved by
yarn upgrade. You can even force yarn to install version that are not SEMVER compatible but you may know the version won’t break the app (not all major versions introduce breaking changes).For example:
Will force all
engine.io used in gatsby to be ^6.4.2, but won’t affect the rest of the app.And that is it,
yarn upgrade command and yarn resolutions are enough to be able to fix any failing yarn audit if there are compatible version to be installed.npm audit fix
All
npm audit fix does is that it uses the version that fixes the vulnerability and forces it in the lock-file to be installed instead the malicious version. That solution might be a good for a short-term fix, but it is not really good in long-term. It basically does the same thing as yarn resolutions but you don’t have to do it yourself. In long-term, it is not a really good solution because:- it doesn’t force you to keep the dependencies up-to-date,
- you have no idea which versions are used for fixing.
Keeping dependencies up-to-date is a crucial thing and it was kinda easy to do before lock-files were added to
npm and yarn, with lock-files, you have to keep in mind you should update dependencies on a regular basis.Now, after explaining why NOT to use
npm audit fix, I can tell you a secret, there is npx yarn-audit-fix, but I encourage you not to use it. Some TIPS
- Every time, before running
yarn upgrade, remove resolutions, they are a short-term fix and shouldn’t be kept forever, if the new upgrade doesn’t fix everything, introduce new resolutions.
- If you use
npm, you can use npm-force-resolutions.
- Don’t install dev dependencies you can run with
npx, it can make your life easier.