Keep Your Dependencies Safe with Improved Yarn Audit
Keeping your project’s dependencies secure is essential in any Node.js application. In this guide, we’ll walk you through using improved-yarn-audit to detect and manage vulnerabilities more effectively. It offers a better developer experience than the default yarn audit, with advanced filtering and CI-friendly output. Let’s dive into securing your project, one audit at a time.
1. Install improved-yarn-audit lib
Install improved-yarn-audit lib in dev-dependencies (in package.json file)
bashnpm install improved-yarn-audit --save-dev or yarn add improved-yarn-audit --dev
2. Create a script in the package.json file
Create a new script command in the package.json file. This command means that it will filter all critical issues and do not check for dev-dependencies.
json"scripts": { "dep-audit": "improved-yarn-audit --min-severity critical --ignore-dev-deps", },
if have critical issues, the command will return false, and other wise.
3. Run command and use with Husky
3.1 Run command with terminal
bashnpm run dep-audit or yarn dep-audit
If no critical issues, we will received the result
bash$ improved-yarn-audit --min-severity critical --ignore-dev-deps Improved Yarn Audit - v3.0.3 undefined Minimum severity level to report: critical Running yarn audit... Found 0 vulnerabilities Done in 1.04s.
If your dependencies have critical issues
bash$ improved-yarn-audit --min-severity critical --ignore-dev-deps Improved Yarn Audit - v3.0.3 undefined Minimum severity level to report: critical Running yarn audit... Found 1 vulnerabilities Vulnerability Found: Severity: CRITICAL Modules: next URL: https://github.com/advisories/GHSA-f82v-jwr5-mffw Run `yarn audit` for more information error Command failed with exit code 1. info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
Now you can fix this issue, you can follow on the URL show on the command.
You can use this command for your CI/pipelines.
Additionally, you can use this command for pre-push in Husky like that
bashnpm run typecheck && npm run test && npm run dep-audit
You can see more on my Husky docs.