~ 7 min read
How to use yarn audit
The latest v1 major version of Yarn 1.22.22 supports a dependency audit command yarn audit that is similar to npm audit and allows developers who choose to use the Yarn package manager to check for vulnerabilities in their dependencies.
How Yarn pulls vulnerability information
Yarn uses the same vulnerability database as the npmjs registry (which to date has transitioned over to GitHub and its advisory database).
As such, Yarn just mirrors the same API calls that the npm CLI uses to fetch vulnerability information when running with npm audit and that by default in modern npm versions runs automatically after* installing packages.
Itβs important to note that Yarn doesnβt maintain its own vulnerability database, nor curates or triages any security vulnerability information, nor do any vulnerabilities about npm packages are reported to Yarn maintainers.
How to use yarn audit
Simply run yarn audit in your project directory to check for vulnerabilities in your dependencies.
yarn auditIf you donβt already have Yarnβs lockfile generated (yarn.lock), Yarn will generate it for you before running the audit. and then present the results of the audit in a table format.
Hereβs an example output of yarn audit:
βββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ high β Command Injection in lodash ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Package β lodash.template ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Patched in β No patch available ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Dependency of β subfont ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Path β subfont > assetgraph > workbox-build > lodash.template ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β More info β https://www.npmjs.com/advisories/1096993 ββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ high β kangax html-minifier REDoS vulnerability ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Package β html-minifier ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Patched in β No patch available ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Dependency of β subfont ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Path β subfont > assetgraph > html-minifier ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β More info β https://www.npmjs.com/advisories/1097148 ββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ high β path-to-regexp outputs backtracking regular expressions ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Package β path-to-regexp ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Patched in β >=8.0.0 ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Dependency of β astro ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Path β astro > path-to-regexp ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β More info β https://www.npmjs.com/advisories/1099538 ββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ high β path-to-regexp outputs backtracking regular expressions ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Package β path-to-regexp ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Patched in β >=8.0.0 ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Dependency of β astro-compress ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Path β astro-compress > astro > path-to-regexp ββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β More info β https://www.npmjs.com/advisories/1099538 ββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ4 vulnerabilities found - Packages audited: 1625Severity: 4 Highβ¨ Done in 59.13s.Note: if youβre using the latest major version of Yarn - Yarn 4, the audit commands exists under the command-line flag as follows: yarn npm audit (yes I know it looks confusing but thatβs the actual command).
How to read security vulnerability results from yarn audit output
Yarn and the npm CLI, while using the same underlying advisory database for vulnerabilities, choose to display and print out the results of the audit in different formats.
Yarnβs table format is quite more friendly and easier to read than npmβs formatting which is much more verbose and harder to parse. To compare, hereβs the same path-to-regexp vulnerability as reported by npm audit:
path-to-regexp 4.0.0 - 7.2.0Severity: highpath-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598jfix available via `npm audit fix --force`Will install @astrojs/tailwind@2.1.3, which is a breaking changenode_modules/path-to-regexp astro <=0.0.0-xray-20231129021231 || >=0.18.0-collections.1 Depends on vulnerable versions of @astrojs/markdown-remark Depends on vulnerable versions of path-to-regexp node_modules/astro @astro-community/astro-embed-integration >=0.1.0 Depends on vulnerable versions of @astro-community/astro-embed-twitter Depends on vulnerable versions of @astro-community/astro-embed-vimeo Depends on vulnerable versions of @astro-community/astro-embed-youtube Depends on vulnerable versions of astro Depends on vulnerable versions of astro-auto-import node_modules/@astro-community/astro-embed-integration @astro-community/astro-embed-twitter >=0.1.0 Depends on vulnerable versions of astro node_modules/@astro-community/astro-embed-twitter @astro-community/astro-embed-vimeo * Depends on vulnerable versions of astro node_modules/@astro-community/astro-embed-vimeo astro-embed >=0.1.0 Depends on vulnerable versions of @astro-community/astro-embed-integration Depends on vulnerable versions of @astro-community/astro-embed-twitter Depends on vulnerable versions of @astro-community/astro-embed-vimeo Depends on vulnerable versions of @astro-community/astro-embed-youtube Depends on vulnerable versions of astro node_modules/astro-embed...So, Yarn makes it more obvious to understand the top-level direct dependency that introduces the nested package with the vulnerability, and the path to the vulnerable package.
Hint: Yarn also supports JSON output with yarn audit --json if you want to parse the results programmatically, like say in a CI/CD pipeline or some custom tool youβre building.
π Just a quick break
I'm Liran Tal and I'm the author of the newest series of expert Node.js Secure Coding books. Check it out and level up your JavaScript
How to fix vulnerabilities reported by yarn audit
The vulnerabilities reported by yarn audit can be fixed by updating the vulnerable package to a newer version that has the vulnerability patched, based on the versions range that Yarn reports.
Do note though that sometimes there exist no upgrade versions with a fix to the vulnerability (for example in cases where the vulnerability is very new, or the package is no longer well maintained), in which case you might need to look for alternative packages or solutions. Maybe consider applying the patch yourself using the patch-package package on npm.
That said, I highly recommend both using the Snyk CLI (npm install -g snyk) and integrating Snyk into your GitHub or Gitlab repository so that Snyk can monitor for new vulnerabilities in real-time as it learns about them and then automatically create new Pull Requests with upgrade fixes to your dependencies.
The Snyk CLI is also very handy and much more powerful than both yarn audit and npm audit because it was tailored for developer-first security workflows. For example, it will by default filter noise from development dependencies (those in devDependencies that donβt get pushed to production), and it can also test for vulnerabilities in your own code, Docker images, Kubernetes manifests, Terraform configurations, and more.
By using Snyk you also get access to Snykβs vulnerability database which is much more comprehensive than the npmjs advisory database, and you get access to Snykβs security research team that curates and triages security vulnerabilities and can provide you with more context and guidance on how to fix vulnerabilities.
Hereβs an example snyk test output:
Tested 684 dependencies for known issues, found 10 issues, 25 vulnerable paths.
Issues to fix by upgrading:
Upgrade astro@3.6.5 to astro@4.13.1 to fix β Cross-site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-ASTRO-7547139] in astro@3.6.5 introduced by astro@3.6.5 β Improper Access Control [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-VITE-6531286] in vite@4.4.9 introduced by astro@3.6.5 > vite@4.4.9 β Cross-Site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-VITE-6098386] in vite@4.4.9 introduced by astro@3.6.5 > vite@4.4.9 β Uncontrolled resource consumption [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@3.0.2 introduced by astro@3.6.5 > chokidar@3.5.3 > braces@3.0.2 and 8 other path(s) β Access Control Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-VITE-6182924] in vite@4.4.9 introduced by astro@3.6.5 > vite@4.4.9
Issues with no direct upgrade or patch: β Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-DSET-7116691] in dset@3.1.3 introduced by astro@3.6.5 > @astrojs/telemetry@3.0.4 > dset@3.1.3 This issue was fixed in versions: 3.1.4 β Missing Release of Resource after Effective Lifetime [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116] in inflight@1.0.6 introduced by @astrojs/vercel@5.2.0 > @vercel/nft@0.23.1 > glob@7.2.3 > inflight@1.0.6 and 1 other path(s) No upgrade or patch available β Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106] in path-to-regexp@6.2.1 introduced by astro@3.6.5 > path-to-regexp@6.2.1 This issue was fixed in versions: 8.0.0 β Uncontrolled Resource Consumption ('Resource Exhaustion') [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-6476909] in tar@6.2.0 introduced by @astrojs/vercel@5.2.0 > @vercel/nft@0.23.1 > @mapbox/node-pre-gyp@1.0.11 > tar@6.2.0 This issue was fixed in versions: 6.2.1Conclusion
Whether you use yarn audit, npm audit or snky test, itβs already a good step forward that you are thinking about your applicationβs security :-)
I curate many security incidents related to npm on my Awesome Node.js Security repository so secure dependency management is critical and you shouldnβt take it lightly. I agree that thereβs a lot of noise to filter through and vulnerability fatigue is a problem, but itβs better to be safe than sorry. Also, learn to use the tools that help you focus on the important bits (hint: Snyk!).
Disclaimer - I work at Snyk!