-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
33e4ac6
commit 8d25680
Showing
1 changed file
with
22 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,7 +13,7 @@ Apply `npm audit fix` logic to `yarn.lock` | |
| ## Motivation | ||
| `yarn audit` detects vulnerabilities, but cannot fix them. | ||
| Strictly `yarn` cannot be a drop-in replacement for `npm`. | ||
| Authors suggest using `depedabot` for security patches. Well, it is very inconvenient in some situations, to say the least of it. | ||
| Authors suggest using [Depedabot](https://dependabot.com/) or [Snyk](https://snyk.io/) for security patches. Well, it is very inconvenient in some situations, to say the least of it. | ||
| The discussion: [yarn/issues/7075](https://github.com/yarnpkg/yarn/issues/7075) | ||
|
|
||
| Fortunately, there's a workaround: [stackoverflow/60878037](https://stackoverflow.com/a/60878037) (thanks to Gianfranco P.). | ||
|
|
@@ -30,14 +30,29 @@ npx yarn-audit-fix | |
| ``` | ||
|
|
||
| ## Usage | ||
| ```shell script | ||
| <pre> | ||
| $ yarn-audit-fix | ||
|
|
||
| Generating package-lock.json... | ||
| Applying npm audit fix... | ||
| Generating new yarn.lock from package-lock.json... | ||
| Done | ||
| ``` | ||
| <b>Preparing temp assets...</b> | ||
| <b>Generating package-lock.json from yarn.lock...</b> | ||
| <b>Applying npm audit fix...</b> | ||
| <b>invoke npm audit fix --package-lock-only</b> | ||
| added 14 packages, removed 195 packages and updated 1245 packages in 4.795s | ||
| fixed 3 of 26 vulnerabilities in 1370 scanned packages | ||
| 23 vulnerabilities required manual review and could not be updated | ||
| <b>Updating yarn.lock from package-lock.json...</b> | ||
| <b>invoke</b> yarn import | ||
| info found npm package-lock.json, converting to yarn.lock | ||
| warning synp > [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142 | ||
| warning tslint-config-qiwi > [email protected]: tslint-react is deprecated along with TSLint | ||
| warning @qiwi/libdefkit > @types/[email protected]: This is a stub types definition. read-pkg provides its own type definitions, so you do not need this installed. | ||
| ... | ||
| success Saved lockfile. | ||
| <b>invoke</b> yarn | ||
| [1/4] 🔍 Resolving packages... | ||
| success Already up-to-date. | ||
| <b>Done</b> | ||
| </pre> | ||
|
|
||
| ## License | ||
| [MIT](./LICENSE) | ||