yarn-audit-fix

![CI](https://github.com/antongolub/yarn-audit-fix/actions)
![Maintainability](https://codeclimate.com/github/antongolub/yarn-audit-fix/maintainability)
![Test Coverage](https://codeclimate.com/github/antongolub/yarn-audit-fix/test_coverage)
![Sonar](https://sonarcloud.io/dashboard?id=antongolub_yarn-audit-fix)
![Known Vulnerabilities](https://snyk.io/test/github/antongolub/yarn-audit-fix)
![Downloads](https://www.npmjs.com/package/yarn-audit-fix)
![npm (tag)](https://www.npmjs.com/package/yarn-audit-fix)

The missing yarn audit fix

- Digest
- Problem
- Solution
- Key features
- Getting started
- Requirements
- Install
- CLI
- ENV
- JS API
- Migration notes
- ^10.0.0
- ^9.0.0
- ^8.0.0
- ^7.0.0
- ^6.0.0
- ^4.0.0
- ⚠️ Troubleshooting
- Contributing
- License

Digest

$3

1. yarn audit detects vulnerabilities, but cannot fix them.
Authors suggest using Dependabot or Snyk for security patches. Well, it is very inconvenient in some situations, to say the least of it.
The discussion: yarn/issues/7075.
2. yarn audit does not support custom (in-house, internal) registries. Here are the issue & PR which have not yet received the green light.

$3

Fortunately, there are several workarounds:
1. Compose npm audit fix with lockfile converter (thanks to Gianfranco P., stackoverflow/60878037).
yarn-audit-fix --flow=convert just reproduces these steps with minimal changes. More details: dev.to/yarn-audit-fix-workaround
2. Fetch yarn/npm audit --json advisories and patch lockfile inners (kudos to G. Kosev, code reference). yarn-audit-fix --flow=patch. Full description: dev.to/yarn-audit-fix-for-yarn-2-berry

$3

* Works with Yarn 1 Classic & Yarn v2+ lockfiles (⚠️ experimental)
* A couple of strategies to fix security issues
* macOS / Linux / Windows support
* CLI / JS API
* TS and flow typings

Getting started

$3

Node.js: >=16.0.0

$3

shell script
$ yarn add yarn-audit-fix -D


or even better


npm_config_yes=true npx yarn-audit-fix


$3


$ yarn-audit-fix [--opts]
Preparing temp assets...
Generating package-lock.json from yarn.lock...
Applying npm audit fix...
invoke npm audit fix --package-lock-only
added 14 packages, removed 195 packages and updated 1245 packages in 4.795s
fixed 3 of 26 vulnerabilities in 1370 scanned packages
  23 vulnerabilities required manual review and could not be updated
Updating yarn.lock from package-lock.json...
invoke yarn import
info found npm package-lock.json, converting to yarn.lock
warning synp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning tslint-config-qiwi > tslint-react@5.0.0: tslint-react is deprecated along with TSLint
warning @qiwi/libdefkit > @types/read-pkg@5.1.0: This is a stub types definition. read-pkg provides its own type definitions, so you do not need this installed.
...
success Saved lockfile.
invoke yarn
[1/4] 🔍  Resolving packages...
success Already up-to-date.
Done

| Option                | Description                                                                                                                                                             | Default                                    | with

--flow=convert

 only | 
|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|----------------------------|
|

--flow | Define how yarn.lock is modified. convert — to compose npm audit fix with two-way lockfile conversion (legacy flow). patch — to directly inject audit json data | patch

                                    |                            |
|

--audit-level

       | Include a vulnerability with a level as defined or higher. Supported values: low, moderate, high, critical                                                              |

low

                                      |                            |
|

--cwd

               | Current working dir                                                                                                                                                     |

process.cwd()

                            |                            |
|

--dry-run

           | Get an idea of what audit fix will do                                                                                                                                   |                                            |                            |
|

--force

             | Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones                                                                   |

false

                                    |                            |
|

--help/-h

           | Print help message                                                                                                                                                      |                                            |                            |
|

--legacy-peer-deps

  | Accept an incorrect (potentially broken) deps resolution                                                                                                                |                                            | ✔                          |
|

--loglevel

          | Set custom log level                                                                                         |                                            | ✔                          |
|

--npm-path | Switch to project's local npm version instead of system default. Or provide a custom path. system / local / | system

                                   |                            |
|

--only | Set package update scope: dev/prod

                                                                           |                                            |                            |
|

--package-lock-only | Run audit fix without modifying node_modules. Highly recommended to enable. | true

                                     | ✔                          |
|

--registry

          | Custom registry url                                                                                                                                                     |                                            | ✔                          |
|

--silent

            | Disable log output                                                                                                                                                      |

false

                                    |                            |
|

--symlink | Symlink type for node_modules

 ref                                                                                                                                     |

junction for Windows, dir

 otherwise    |                            |
|

--temp

              | Directory for temporary assets                                                                                                                                          |

/node_modules/.cache/yarn-audit-fix

 |                            |
|

--verbose

           | Switch log level to verbose/debug                                                                                                                                       |

false

                                    |                            |
|

--exclude

           | Array of glob patterns of packages to exclude from audit                                                                                                                |                                            |                            |
|

--ignore

            | Array of glob patterns of advisory IDs to ignore in the audit report                                                                                                    |                                            |                            |
$3

All mentioned above CLI options can be replaced with the corresponding env variables with leading YAF prefix. For example:
*

YAF_FORCE equals --force

YAF_ONLY=prod — --only=prod


$3

yarn-audit-fix is a naive and optimistic workaround, so it exposes all of its inners to give anybody a chance to tweak up and find a better steps combination.
Typedoc: https://antongolub.github.io/yarn-audit-fix/modules/

`ts import { run, runSync } from 'yarn-audit-fix'

// NOTE actually it's promisified run.syncawait run({ flow: 'patch', verbose: true })

// runSync is an alias for run.syncawait runSync({ flow: 'patch', verbose: true })`

Build and run custom flows.`ts import { clear, exit, patchLockfile, yarnInstall } from 'yarn-audit-fix'

export const flow: TFlow = { main: [ [ 'Patching yarn.lock with audit data...', patchLockfile, (...args) => {console.log('Smth interesting:', ...args)}, yarnInstall, ], ['Done'], ], fallback: [['Failure!', exit]], }

await run({}, flow)`

`Migration notes`


$3

v10 bumps the pkg deps and requires NodeJS v14.
$3

v9 brings experimental Yarn 2+ lockfiles support, so the previous behaviour (when

yaf

 parsing failure may be used to detect them) has been changed.
$3

From v8 the library does not contain npm dependency, so the system default is used instead. If necessary you can:
* Install the required npm version and provide a custom path via CLI / ENV / JS API
* Use a pinch of npx magic:

npm_config_yes=true YAF_NPM_PATH=local npx -p yarn-audit-fix -p npm@8 -c yarn-audit-fix


$3

Following the deps, converted to ESM. So legacy

require API has been dropped since v7.0.0. Use the shiny new import

 instead or try your luck with esm-hook. CLI works as before.

js
// const {run} = require('yarn-audit-fix') turns into
import {run} from 'yarn-audit-fix'


$3

Default fix strategy has been changed to direct lockfile patching with

yarn audit --json data. To use the previous _legacy_ flow, pass --flow=convert

 option to CLI.
$3

--npm-v7

 flag is redundant. From v4.0.0 package's own version of npm is used by default. But you're still able to invoke system default with

--npm-path=system or define any custom --npm-path=/another/npm/bin

.
Troubleshooting

$3

If you have installed yaf between 7...11 of Jan 2022 and ran it with

--flow=convert

 option, you might see an endless garbage loop in stdout.
The problem was caused by the transitive dep:

yarn-audit-fix → synp → colors@^1.4.0

. Reasons and details: issues/218, snykvuln/2331906.  
How to fix? There are 3 ways:
* Update yarn-audit-fix to

>=9.0.5


* Pin

colors version in your lockfile to 1.4.0


* Reinstall yarn-audit-fix. It looks like npm has already removed the vulnerable versions of

colors

 from the registry, 2022-01-11.
$3


npm_config_yes=true npx yarn-audit-fix --audit-level=moderate
Runtime digest
yarn-audit-fix version 4.3.6 is out of date. Install the latest 6.0.0 for better results


npx caches previously loaded packages, so you need one of:
1. Define version to load:

npm yarn-audit-fix@6.0.0


2. Reset npx cache. For Mac/Linux:

rm -rf ~/.npm/_npx


$3

After installation, the package may not be found. This is probably an issue with $PATH finding

node_modules/.bin

 contents or smth like that (npm/issues/957).
A bit annoying, but it's easy to handle in several ways.
* You're able to run the cmd through yarn:

yarn yarn-audit-fix

.
* Simply invoke

node_modules/.bin/yarn-audit-fix

 script.
$3

In some cases npm audit fix makes

node_modules

 to become inconsistent. This is expected. yarn and npm organize the directory space slightly differently.


npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/node-gyp as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/node-gyp
npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/uuid as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/uuid
npm ERR! code ENOENT
npm ERR! syscall chmod
npm ERR! path /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js
npm ERR! errno -2
npm ERR! enoent ENOENT: no such file or directory, chmod '/Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent 
npm ERR!     /Users/antongolub/.npm/_logs/2020-08-23T07_09_26_924Z-debug.log
{
  status: 254,
  signal: null,
  output: [ null, null, null ]


Let's try this workaround:
1. Restore the original

node_modules state. yarn --force or rm-rf node_modules && yarn

.
2. Apply

npx yarn-audit-fix --package-lock-only. The last param should instruct npm not to modify node_modules

 contents.
$3

The problem only concerns repositories with

workspaces

 (monorepos).

npm audit fix --force throws 1 status code and suggests running npm audit fix --force

. This quite ironic behaviour is exactly what npm (arborist) does now.


$$ yarn-audit-fix --force          
 Preparing temp assets...
 Generating package-lock.json from yarn.lock...
 Applying npm audit fix...
 invoke /home/qwelias/.nvm/versions/node/v12.18.1/lib/node_modules/yarn-audit-fix/node_modules/.bin/npm audit fix --package-lock-only --force --prefix=/home/qwelias/prj/stuff/test-yarn-audit-fix/node_modules/.cache/yarn-audit-fix
 npm WARN using --force Recommended protections disabled.
 npm WARN audit Updating lodash to 4.17.20,which is outside your stated dependency range.
 npm WARN audit Manual fix required in linked project at ./packages/bar for lodash@<=4.17.18.
 npm WARN audit 'cd ./packages/bar' and run 'npm audit' for details.
 npm WARN audit Manual fix required in linked project at ./packages/foo for lodash@<=4.17.18.
 npm WARN audit 'cd ./packages/foo' and run 'npm audit' for details.
 
 up to date, audited 7 packages in 2s
 
 # npm audit report
 
 lodash  <=4.17.18
 Severity: high
 Prototype Pollution - https://npmjs.com/advisories/782
 Prototype Pollution - https://npmjs.com/advisories/1065
 fix available via

npm audit fix --force


 Will install lodash@4.17.20, which is outside the stated dependency range
 packages/bar/node_modules/lodash
 packages/foo/node_modules/lodash
 
 1 high severity vulnerability
 
 To address all issues, run:
   npm audit fix --force
 {
   status: 1,
   signal: null,
   output: [ null, null, null ],
   pid: 176019,
   stdout: null,
   stderr: null
 }


So you need, as the message says, to manually change the dependency versions. npm@7 ~~is still in beta~~, perhaps this logic will be changed later.
In some cases npm@6 works better, so if you have such a version installed on your system, you may try:

shell
npx yarn-audit-fix --npm-path=system --flow=convert


You may also try to cast _the optimistic flags combo_

shell
npx yarn-audit-fix --package-lock-only=false --force --legacy-peer-deps --flow=convert


Unfortunately, even this invocation may return something like:

shell
npm audit report

hosted-git-info <3.0.8 Severity: moderate Regular Expression Deinal of Service - https://npmjs.com/advisories/1677 No fix available node_modules/normalize-package-data/node_modules/hosted-git-info normalize-package-data 2.0.0 - 2.5.0 Depends on vulnerable versions of hosted-git-info node_modules/normalize-package-data meow 3.4.0 - 9.0.0 Depends on vulnerable versions of normalize-package-data Depends on vulnerable versions of read-pkg-up`No fix available just means that no fix available. If you still doubt the correctness of the output, you can check it by hand.`shell npm i --package-lock-only npm audit fix --package-lock-only --force`

Same response for alternative patching flow:`shell npm_config_yes=true npx yarn-audit-fix --audit-level=moderate --flow=patch``shell Patching yarn.lock with audit data... invoke yarn audit --json --level moderate Can't find patched version that satisfies postcss@^7.0.0 in >=8.2.10 Can't find patched version that satisfies postcss@^7.0.1 in >=8.2.10 Can't find patched version that satisfies postcss@^7.0.27 in >=8.2.10 Can't find patched version that satisfies ws@^7.2.3 in >=6.2.2 <7.0.0 || >=7.4.6 Upgraded deps: invoke yarn --update-checksums`Not everything can be repaired, alack.

`$3`


yarn-audit-fix is compatible with any NodeJS version which supports ESM, but the nested packages can define their own engine requirements.

shell
pkg-dir@7.0.0: The engine "node" is incompatible with this module. Expected version ">=14.16". Got "14.15.1"

The _recommended_ way is to update the runtime version. As a temporary workaround, you can simply pass --ignore-enginesflag.`shell yarn add yarn-audit-fix -D --ignore-engines`

`$3`

In some cases yarn npm audit fails because the yarn.lockfile contains a transitive dependency in unreadable format:`'example-dependency': 'npm:example-dependency@1.0.0'`

This will results in:`shell invoke yarn npm audit --all --json --recursive ➤ YN0035: Bad Request ➤ YN0035: Response Code: 400 (Bad Request) ➤ YN0035: Request Method: POST ➤ YN0035: Request URL: https://registry.yarnpkg.com/-/npm/v1/security/audits/quick`https://github.com/yarnpkg/berry/issues/4117

A workaround is available using the excludeoption: 1. Update project yarn to >=3.3.0 (lower version doesn't support this parameter for yarn npm audit). 2. Applynpx yarn-audit-fix --exclude example-dependency. This will cause yarn to ignore example-dependency` while creating the audit report.

Contributing

Feel free to open any issues: bugs, feature requests or other questions.
You're always welcome to suggest a PR. Just fork this repo, write some code, add some tests and push your changes.
Any feedback is appreciated.

License

MIT

yarn-audit-fix

The missing yarn audit fix

Digest

$3

* Works with Yarn 1 Classic & Yarn v2+ lockfiles (⚠️ experimental)
* A couple of strategies to fix security issues
* macOS / Linux / Windows support
* CLI / JS API
* TS and flow typings

Getting started

$3

Node.js: >=16.0.0

$3

shell script
$ yarn add yarn-audit-fix -D


or even better


npm_config_yes=true npx yarn-audit-fix


$3


$ yarn-audit-fix [--opts]
Preparing temp assets...
Generating package-lock.json from yarn.lock...
Applying npm audit fix...
invoke npm audit fix --package-lock-only
added 14 packages, removed 195 packages and updated 1245 packages in 4.795s
fixed 3 of 26 vulnerabilities in 1370 scanned packages
  23 vulnerabilities required manual review and could not be updated
Updating yarn.lock from package-lock.json...
invoke yarn import
info found npm package-lock.json, converting to yarn.lock
warning synp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning tslint-config-qiwi > tslint-react@5.0.0: tslint-react is deprecated along with TSLint
warning @qiwi/libdefkit > @types/read-pkg@5.1.0: This is a stub types definition. read-pkg provides its own type definitions, so you do not need this installed.
...
success Saved lockfile.
invoke yarn
[1/4] 🔍  Resolving packages...
success Already up-to-date.
Done

| Option                | Description                                                                                                                                                             | Default                                    | with

--flow=convert

 only | 
|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|----------------------------|
|

--flow | Define how yarn.lock is modified. convert — to compose npm audit fix with two-way lockfile conversion (legacy flow). patch — to directly inject audit json data | patch

                                    |                            |
|

--audit-level

       | Include a vulnerability with a level as defined or higher. Supported values: low, moderate, high, critical                                                              |

low

                                      |                            |
|

--cwd

               | Current working dir                                                                                                                                                     |

process.cwd()

                            |                            |
|

--dry-run

           | Get an idea of what audit fix will do                                                                                                                                   |                                            |                            |
|

--force

             | Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones                                                                   |

false

                                    |                            |
|

--help/-h

           | Print help message                                                                                                                                                      |                                            |                            |
|

--legacy-peer-deps

  | Accept an incorrect (potentially broken) deps resolution                                                                                                                |                                            | ✔                          |
|

--loglevel

          | Set custom log level                                                                                         |                                            | ✔                          |
|

--npm-path | Switch to project's local npm version instead of system default. Or provide a custom path. system / local / | system

                                   |                            |
|

--only | Set package update scope: dev/prod

                                                                           |                                            |                            |
|

--package-lock-only | Run audit fix without modifying node_modules. Highly recommended to enable. | true

                                     | ✔                          |
|

--registry

          | Custom registry url                                                                                                                                                     |                                            | ✔                          |
|

--silent

            | Disable log output                                                                                                                                                      |

false

                                    |                            |
|

--symlink | Symlink type for node_modules

 ref                                                                                                                                     |

junction for Windows, dir

 otherwise    |                            |
|

--temp

              | Directory for temporary assets                                                                                                                                          |

/node_modules/.cache/yarn-audit-fix

 |                            |
|

--verbose

           | Switch log level to verbose/debug                                                                                                                                       |

false

                                    |                            |
|

--exclude

           | Array of glob patterns of packages to exclude from audit                                                                                                                |                                            |                            |
|

--ignore

            | Array of glob patterns of advisory IDs to ignore in the audit report                                                                                                    |                                            |                            |
$3

All mentioned above CLI options can be replaced with the corresponding env variables with leading YAF prefix. For example:
*

YAF_FORCE equals --force

YAF_ONLY=prod — --only=prod


$3

yarn-audit-fix is a naive and optimistic workaround, so it exposes all of its inners to give anybody a chance to tweak up and find a better steps combination.
Typedoc: https://antongolub.github.io/yarn-audit-fix/modules/

`ts import { run, runSync } from 'yarn-audit-fix'

// NOTE actually it's promisified run.syncawait run({ flow: 'patch', verbose: true })

// runSync is an alias for run.syncawait runSync({ flow: 'patch', verbose: true })`

Build and run custom flows.`ts import { clear, exit, patchLockfile, yarnInstall } from 'yarn-audit-fix'

await run({}, flow)`

`Migration notes`


$3

v10 bumps the pkg deps and requires NodeJS v14.
$3

v9 brings experimental Yarn 2+ lockfiles support, so the previous behaviour (when

yaf

 parsing failure may be used to detect them) has been changed.
$3

From v8 the library does not contain npm dependency, so the system default is used instead. If necessary you can:
* Install the required npm version and provide a custom path via CLI / ENV / JS API
* Use a pinch of npx magic:

npm_config_yes=true YAF_NPM_PATH=local npx -p yarn-audit-fix -p npm@8 -c yarn-audit-fix


$3

Following the deps, converted to ESM. So legacy

require API has been dropped since v7.0.0. Use the shiny new import

 instead or try your luck with esm-hook. CLI works as before.

js
// const {run} = require('yarn-audit-fix') turns into
import {run} from 'yarn-audit-fix'


$3

Default fix strategy has been changed to direct lockfile patching with

yarn audit --json data. To use the previous _legacy_ flow, pass --flow=convert

 option to CLI.
$3

--npm-v7

 flag is redundant. From v4.0.0 package's own version of npm is used by default. But you're still able to invoke system default with

--npm-path=system or define any custom --npm-path=/another/npm/bin

.
Troubleshooting

$3

If you have installed yaf between 7...11 of Jan 2022 and ran it with

--flow=convert

 option, you might see an endless garbage loop in stdout.
The problem was caused by the transitive dep:

yarn-audit-fix → synp → colors@^1.4.0

. Reasons and details: issues/218, snykvuln/2331906.  
How to fix? There are 3 ways:
* Update yarn-audit-fix to

>=9.0.5


* Pin

colors version in your lockfile to 1.4.0


* Reinstall yarn-audit-fix. It looks like npm has already removed the vulnerable versions of

colors

 from the registry, 2022-01-11.
$3


npm_config_yes=true npx yarn-audit-fix --audit-level=moderate
Runtime digest
yarn-audit-fix version 4.3.6 is out of date. Install the latest 6.0.0 for better results


npx caches previously loaded packages, so you need one of:
1. Define version to load:

npm yarn-audit-fix@6.0.0


2. Reset npx cache. For Mac/Linux:

rm -rf ~/.npm/_npx


$3

After installation, the package may not be found. This is probably an issue with $PATH finding

node_modules/.bin

 contents or smth like that (npm/issues/957).
A bit annoying, but it's easy to handle in several ways.
* You're able to run the cmd through yarn:

yarn yarn-audit-fix

.
* Simply invoke

node_modules/.bin/yarn-audit-fix

 script.
$3

In some cases npm audit fix makes

node_modules

 to become inconsistent. This is expected. yarn and npm organize the directory space slightly differently.


npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/node-gyp as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/node-gyp
npm WARN rm not removing /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/.bin/uuid as it wasn't installed by /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/npm/node_modules/uuid
npm ERR! code ENOENT
npm ERR! syscall chmod
npm ERR! path /Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js
npm ERR! errno -2
npm ERR! enoent ENOENT: no such file or directory, chmod '/Users/antongolub/projects/queuefy/node_modules/.cache/yarn-audit-fix/node_modules/@qiwi/libdefkit/node_modules/flowgen/lib/cli/index.js'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent 
npm ERR!     /Users/antongolub/.npm/_logs/2020-08-23T07_09_26_924Z-debug.log
{
  status: 254,
  signal: null,
  output: [ null, null, null ]


Let's try this workaround:
1. Restore the original

node_modules state. yarn --force or rm-rf node_modules && yarn

.
2. Apply

npx yarn-audit-fix --package-lock-only. The last param should instruct npm not to modify node_modules

 contents.
$3

The problem only concerns repositories with

workspaces

 (monorepos).

npm audit fix --force throws 1 status code and suggests running npm audit fix --force

. This quite ironic behaviour is exactly what npm (arborist) does now.


$$ yarn-audit-fix --force          
 Preparing temp assets...
 Generating package-lock.json from yarn.lock...
 Applying npm audit fix...
 invoke /home/qwelias/.nvm/versions/node/v12.18.1/lib/node_modules/yarn-audit-fix/node_modules/.bin/npm audit fix --package-lock-only --force --prefix=/home/qwelias/prj/stuff/test-yarn-audit-fix/node_modules/.cache/yarn-audit-fix
 npm WARN using --force Recommended protections disabled.
 npm WARN audit Updating lodash to 4.17.20,which is outside your stated dependency range.
 npm WARN audit Manual fix required in linked project at ./packages/bar for lodash@<=4.17.18.
 npm WARN audit 'cd ./packages/bar' and run 'npm audit' for details.
 npm WARN audit Manual fix required in linked project at ./packages/foo for lodash@<=4.17.18.
 npm WARN audit 'cd ./packages/foo' and run 'npm audit' for details.
 
 up to date, audited 7 packages in 2s
 
 # npm audit report
 
 lodash  <=4.17.18
 Severity: high
 Prototype Pollution - https://npmjs.com/advisories/782
 Prototype Pollution - https://npmjs.com/advisories/1065
 fix available via

npm audit fix --force


 Will install lodash@4.17.20, which is outside the stated dependency range
 packages/bar/node_modules/lodash
 packages/foo/node_modules/lodash
 
 1 high severity vulnerability
 
 To address all issues, run:
   npm audit fix --force
 {
   status: 1,
   signal: null,
   output: [ null, null, null ],
   pid: 176019,
   stdout: null,
   stderr: null
 }


So you need, as the message says, to manually change the dependency versions. npm@7 ~~is still in beta~~, perhaps this logic will be changed later.
In some cases npm@6 works better, so if you have such a version installed on your system, you may try:

shell
npx yarn-audit-fix --npm-path=system --flow=convert


You may also try to cast _the optimistic flags combo_

shell
npx yarn-audit-fix --package-lock-only=false --force --legacy-peer-deps --flow=convert


Unfortunately, even this invocation may return something like:

shell
npm audit report

`$3`


yarn-audit-fix is compatible with any NodeJS version which supports ESM, but the nested packages can define their own engine requirements.

shell
pkg-dir@7.0.0: The engine "node" is incompatible with this module. Expected version ">=14.16". Got "14.15.1"

The _recommended_ way is to update the runtime version. As a temporary workaround, you can simply pass --ignore-enginesflag.`shell yarn add yarn-audit-fix -D --ignore-engines`

`$3`

In some cases yarn npm audit fails because the yarn.lockfile contains a transitive dependency in unreadable format:`'example-dependency': 'npm:example-dependency@1.0.0'`

Contributing

License

MIT

yarn-audit-fix

yarn-audit-fix

Digest

$3

$3

$3

Getting started

$3

$3

$3

$3

$3

Migration notes

$3

$3

$3

$3

$3

$3

Troubleshooting

$3

$3

$3

$3

$3

npm audit report

$3

$3

Contributing

License

yarn-audit-fix

yarn-audit-fix

Digest

$3

$3

$3

Getting started

$3

$3

$3

$3

$3

Migration notes

$3

$3

$3

$3

$3

$3

Troubleshooting

$3

$3

$3

$3

$3

npm audit report

$3

$3

Contributing

License

Dist Tags

`Migration notes`

`$3`

`$3`

`Migration notes`

`$3`

`$3`