<h1>The problem</h1>
<p>I recently found myself in a position needing to resolve dependency issues caught by <a href="https://dependabot.com/">dependabot</a> in a project using <a href="https://yarnpkg.com/">Yarn</a>. Initally I thought, this will be easy... I'll just run <code>yarn audit</code> as I figured it would be the same as <code>npm audit</code>. However, after some quick scattering around the internet, I found that this feature doesn't exist in Yarn (yet).</p>
<p>After some research into the missing feature I came across <a href="https://github.com/yarnpkg/yarn/issues/7075">this</a> GitHub issue which explained all.</p>
<h1>The solution</h1>
<p>First, we need to use <a href="https://www.npmjs.com/">npm</a> to create a temporary <code>package-lock.json</code> file. We'll use the <code>--package-lock-only</code> flag we don't actually install any packages, as that's what we're using Yarn for after all.</p>
<pre><code>npm i --package-lock-only
</code></pre>
<p>Then, delete your <code>yarn.lock</code> file:</p>
<pre><code>rm yarn.lock
</code></pre>
<p>Now we need to run <code>audit fix</code> to actually fix all vulnerabilities:</p>
<pre><code>npm audit fix
</code></pre>
<p>We can now bring things back to Yarn by letting it import the npm lock file and create a new <code>yarn.lock</code> file:</p>
<pre><code>yarn import
</code></pre>
<p>Finally, you can now safely delete the <code>package-lock.json</code> file again:</p>
<pre><code>rm package-lock.json
</code></pre>
<p>Done! Commit your changes, and you can go back to using Yarn.</p>
<h1>Don't forget</h1>
<p>Always remember to check that the updated packages work as expected!</p>


Thomas Chaplin

How to fix Yarn audit issues

The problem

The solution

Don't forget