Think running yarn audit is just noisy output you can ignore until it breaks in production?
The yarn audit command scans your project’s lockfile against public vulnerability feeds (npm registry via GitHub advisories) and lists vulnerable packages, severity, and the dependency path so you know who’s responsible.
This post explains the yarn audit command, version differences (Yarn 1 vs Yarn 4), useful flags like –json and –level, how to read the report, and practical steps to fix problems and wire the check into CI.
Understanding the Yarn Audit Command and Its Core Purpose
Yarn audit is a security scanner baked into the Yarn package manager. It scans your Node.js project’s dependencies for known vulnerabilities. The command queries public vulnerability databases, specifically the npm registry advisory API which pulls data from the GitHub Advisory Database, then reports security issues it finds in your installed packages. When you run an audit, Yarn checks every dependency in your lockfile against this centralized feed of disclosed security flaws and presents findings with enough detail so you can decide which packages need attention.
Command syntax shifts across Yarn major versions. In Yarn 1.x (the classic version, final release 1.22.22), you just run yarn audit in your project root. If your yarn.lock file is missing, Yarn generates it before running the scan. With Yarn 4 (the modern lineage often called Berry), the equivalent command is yarn npm audit to reflect the npm-compatible registry interface. This version shift matters when writing CI scripts or troubleshooting unexpected command failures.
The audit report includes several key data points for each vulnerability: a severity rating (low, moderate, high, or critical), the name of the affected package, the version currently installed, the version range that contains a fix, and the dependency path showing how that vulnerable package ended up in your project. Yarn formats the default output as a concise table that highlights your top-level direct dependency and traces the chain down to the nested package with the flaw. This makes it faster to identify which of your own dependencies pulled in the problem.
How to Run the Yarn Audit Command and Use Its Options
The simplest invocation is yarn audit executed in your project directory. On Yarn 1.x this is standard. On Yarn 4 you must use yarn npm audit instead. Both commands read your lockfile, send the dependency tree to the registry’s advisory endpoint, and display results in a human-readable table. No additional arguments are required for a basic scan, but several flags unlock more functionality for automated workflows and granular filtering.
Flags become critical when you integrate audits into CI/CD pipelines or want machine-readable output for custom tooling. The --json flag emits a structured JSON response instead of a formatted table, which makes it easy to parse results with jq, store them in logs, or trigger automated workflows based on specific fields. The --level flag filters findings by severity, letting you fail a build only when high or critical issues appear while ignoring informational advisories. These options turn a manual security check into an enforceable quality gate that blocks deployments when unacceptable risks are present.
Common flags and usage patterns:
- –json – Output results as JSON for programmatic parsing in CI scripts, log aggregators, or custom dashboards
- –level – Filter by minimum severity (e.g.,
--level highshows only high and critical vulnerabilities) - –groups – Limit scan to specific dependency groups like
dependenciesordevDependencies - Exit codes – Yarn audit returns a non-zero exit code when vulnerabilities are found, useful for failing CI builds automatically
- Yarn 4 syntax – Use
yarn npm auditinstead ofyarn auditon modern Yarn versions - Typical example –
yarn audit --json > audit-report.jsoncaptures full results for later review or integration testing
Reading and Interpreting Yarn Audit Output Details
Understanding severity levels is the first step in triaging audit results. Yarn categorizes vulnerabilities as low, moderate, high, or critical based on the CVSS (Common Vulnerability Scoring System) score assigned by the advisory source. Low severity issues might be theoretical edge cases or require unusual conditions to exploit. Critical findings often represent remote code execution, authentication bypasses, or data leakage in common scenarios. Each entry also includes an advisory ID (usually a CVE identifier or GitHub Security Advisory number) and a short description of the flaw, which you can cross-reference in the GitHub Advisory Database or the National Vulnerability Database for deeper context. The dependency path field shows the chain from your direct dependency down to the vulnerable transitive package, helping you understand whether the issue lives in a library you explicitly installed or something five layers deep.
Yarn offers two output modes: a formatted table for terminal readability and a verbose JSON structure for automation. The table mode prints one row per unique vulnerability, listing the package name, installed version, patched version, severity, and the path from your package.json entry to the problematic nested dependency. JSON mode exposes additional metadata like CVSS scores, CWE categories, and full advisory text, along with structured arrays of affected and patched version ranges. Parsing JSON with tools like jq or dedicated libraries makes it possible to filter by severity in shell scripts, generate custom reports, or feed results into dashboards and notification systems.
| Field | Meaning | Example |
|---|---|---|
| Severity | Risk level assigned by CVSS score | high |
| Package Name | Vulnerable library identifier | path-to-regexp |
| Installed Version | Version currently in lockfile | 0.1.7 |
| Patched Version | Version range that fixes the issue | >=0.1.10 |
| Dependency Path | Chain from direct dep to vulnerable package | express > body-parser > path-to-regexp |
Fixing Vulnerabilities Using Yarn Audit and Alternative Methods
The most direct remediation is updating the vulnerable package to a version within the patched range shown in the audit report. Check the dependency path to identify which top-level package pulls in the flawed library, then upgrade that parent dependency to a version that depends on the fixed child. Run yarn upgrade <package-name> (Yarn 1.x) or yarn up <package-name> (Yarn 4) to bump the version, then test your application thoroughly since upgrades can introduce breaking changes, especially across major versions. Always review the package’s changelog or release notes before upgrading to understand what else changed besides the security patch.
When no upstream fix exists or the package maintainer has abandoned the project, you have a few fallback strategies. One option is using patch-package to apply a local source code patch that fixes the vulnerability yourself, keeping the modified version in your repository until an official update arrives. Another approach is replacing the vulnerable dependency with a maintained alternative that offers similar functionality. That requires more work but improves long-term security posture. For transitive dependencies you can also override the resolved version using Yarn’s resolutions field in package.json, forcing a specific patched version even if the parent package hasn’t updated its own dependency range yet.
After applying any fix, rerun the audit to confirm the vulnerability no longer appears in the report. Testing in a development or staging environment is mandatory because dependency changes can break functionality in subtle ways, and automated test suites may not catch every regression. Commit the updated yarn.lock to version control so your team and CI systems use the same resolved dependency versions.
Remediation checklist:
- Update to patched versions – Upgrade parent dependencies that transitively require the vulnerable package
- Use patch-package – Apply manual source patches when no official fix is available yet
- Replace unmaintained packages – Swap out abandoned libraries with actively maintained alternatives
- Manually modify resolutions field – Override transitive dependency versions in
package.jsonto force safe versions - Retry audit after remediation – Verify the vulnerability is resolved by running
yarn auditagain
Comparing Yarn Audit and npm Audit Functionality
Both Yarn audit and npm audit pull vulnerability data from the same upstream source: the npm registry advisory API, which aggregates advisories from the GitHub Advisory Database. This means the set of reported vulnerabilities is largely identical between the two tools, since neither maintains its own independent security research team or curated database. The primary differences lie in how each tool presents findings and handles remediation workflows. Yarn’s default table output emphasizes the dependency path from your direct dependencies to the vulnerable nested package, making it easier to identify which of your choices introduced the risk. npm audit’s default output is more verbose and lists every occurrence of a vulnerable package separately, which can be harder to scan when a single transitive dependency appears in multiple places.
npm includes an npm audit fix subcommand that attempts to automatically upgrade packages within semver-compatible ranges. Yarn 1.x doesn’t ship with an equivalent one-step fix command. Yarn 4 and newer versions offer yarn npm audit for parity with npm’s interface, but the automatic remediation story still differs. Because Yarn doesn’t curate or triage advisories itself, both tools inherit the same limitations around false positives, stale data, and missing coverage for private registries. Choosing between them often comes down to which package manager your project already uses and whether you need the specific output format or workflow automation that one tool provides.
Using Yarn Audit in CI Pipelines and Automation Workflows
Continuous integration systems can parse Yarn audit’s JSON output to enforce security policies and fail builds when vulnerabilities cross a defined threshold. Adding yarn audit --json to a CI job produces a machine-readable report that tools like jq can filter by severity level, letting you block merges or deployments if critical or high-risk issues are detected. This shifts security checks left, catching problems before they reach production. CI environments typically run the audit on every commit or pull request, providing immediate feedback to developers and maintaining a record of vulnerabilities over time in build logs or external monitoring dashboards.
Automated pull request creation tools like Dependabot, Renovate, and Snyk take CI integration further by not just detecting issues but proposing fixes. These services monitor your repository, watch for new advisories or updated package versions, and open PRs that upgrade vulnerable dependencies with minimal manual intervention. Snyk also filters out noise by ignoring devDependencies by default and provides curated remediation advice, including proof-of-exploit examples and prioritization guidance based on reachability analysis. This reduces alert fatigue and helps teams focus on vulnerabilities that actually matter in their runtime context.
GitHub Actions and similar platforms make it straightforward to schedule regular audits and trigger remediation workflows. A scheduled daily or weekly workflow runs yarn audit --json, parses the output with a shell script or Action, and either opens an issue, sends a Slack notification, or auto-merges low-risk upgrades if tests pass. Combining Yarn audit with jq expressions allows precise filtering. For example, you can extract only packages with high severity and a known exploit in the wild.
CI and automation patterns:
- Setup CI task – Add
yarn audit --jsonto your pipeline YAML, capturing exit codes and output - Parse JSON with jq – Filter by severity (
jq '.advisories[] | select(.severity=="high")') or count findings - Fail on severity threshold – Use exit codes or
jqlogic to fail builds when high or critical issues exist - Auto-upgrade workflow patterns – Integrate Dependabot, Renovate, or Snyk to open PRs for safe version bumps
- Daily or weekly scheduled scans – Run audits on a cron schedule to catch newly disclosed vulnerabilities between code changes
Enhancing Yarn Audit with Snyk and Third-Party Tools
Yarn audit alone may be insufficient for comprehensive dependency security because it relies solely on the npm/GitHub advisory feed, which can lag behind disclosure timelines, miss vulnerabilities in less popular packages, and lack triage context. Third-party software composition analysis (SCA) tools augment the base audit with curated vulnerability databases, reachability analysis, and coverage beyond Node.js packages. Snyk is a prominent example: it provides a broader advisory database that includes non-npm ecosystems, prioritizes vulnerabilities based on whether the vulnerable code path is actually used in your application, and can scan Docker images, Kubernetes manifests, and Terraform configurations alongside your dependencies.
Snyk’s integration with GitHub and GitLab enables automated remediation by opening pull requests with dependency upgrades, often including release notes and compatibility guidance. The platform continuously monitors your repositories for new disclosures, alerting you the moment a vulnerability is published rather than waiting for your next manual audit run. AuditCI is another tool designed for CI pipelines, offering configurable severity thresholds and compatibility with both npm and Yarn audit outputs, which makes it easy to enforce policies without writing custom parsing scripts.
Complementary tools:
- Snyk – Curated advisories, automated PRs, continuous monitoring, multi-language and infrastructure scanning
- AuditCI – Enforces severity thresholds in CI, works with both npm and Yarn, minimal configuration
- npm audit as supplement – Run npm audit in parallel to compare findings and catch discrepancies
- OSS Index or alternative SCA services – Cross-reference with other vulnerability databases for broader coverage
Handling Yarn Audit in Monorepos and Workspace Structures
Yarn’s workspace feature allows multiple packages to coexist in a single repository, sharing a common lockfile at the root. When you run an audit in a workspace-enabled project, Yarn analyzes the entire dependency graph across all workspaces, reporting vulnerabilities that affect any package in the monorepo. This unified view simplifies security management because you see every issue in one report. But it also means a vulnerability in a dev-only workspace package will appear alongside production dependencies unless you filter by group.
Managing remediation in workspaces requires understanding whether your dependencies are hoisted to the root or isolated per workspace. Most configurations hoist shared dependencies to the top-level node_modules, meaning a single upgrade can fix the issue for all workspaces that depend on that package. If you use nohoist or isolated lockfiles, each workspace may need its own version bump. Always verify which workspace introduced the vulnerable dependency by examining the path field in the audit output, then update the relevant package.json and rerun the audit to confirm the fix propagates through the lockfile.
| Workspace Type | Lockfile Behavior | Audit Impact |
|---|---|---|
| Root + hoisted deps | Single yarn.lock at root | One audit scans all workspaces; upgrade once, fix everywhere |
| Isolated nohoist | Separate or mixed lockfiles | Audit reports per-workspace paths; upgrades may need repetition |
| Mixed dev/prod workspaces | Shared lockfile | Use –groups to filter findings by dependencies vs devDependencies |
Troubleshooting Common Yarn Audit Issues and Inaccuracies
False positives and outdated advisories are the most common friction points with Yarn audit. Because Yarn mirrors the GitHub Advisory Database without additional curation, you may see warnings for vulnerabilities that don’t apply to your usage pattern or have been disputed by the package maintainer. The advisory feed can also lag behind actual disclosure timelines or fail to retract advisories that were later found to be incorrect. If a vulnerability seems irrelevant, cross-check the advisory ID in the GitHub database and review the exploit conditions to decide whether it poses real risk in your application.
Environmental issues frequently block audits or produce incomplete results. Network proxies, firewall rules, and private registry configurations can prevent Yarn from reaching the npm advisory endpoint. When running offline or behind a corporate proxy, you may need to configure registry mirrors, provide authentication tokens, or whitelist the advisory API domain. Private registries often don’t host vulnerability data at all, so packages installed from internal sources won’t be scanned unless you integrate a tool that supports private package scanning, like Snyk or JFrog Xray. Rate limits on the public advisory API can also cause intermittent failures during high-volume CI runs, which usually resolve by retrying the command or spreading audit jobs across time to avoid burst traffic.
Final Words
Run yarn audit to scan your project deps for known vulnerabilities using the npm/GitHub advisory feed. We covered what the command reports, Yarn v1 vs v4 differences, and the key output fields you’ll use to triage issues.
You also saw how to run it with useful flags (–json, –level, –groups), parse results in CI, and remediate by upgrading, patching, or replacing packages. We touched on Snyk, monorepo quirks, and common troubleshooting steps.
That’s the yarn audit command explained in practical terms — automate scans, act on findings, and keep dependency risk small.
FAQ
Q: What does the yarn audit command do?
A: The yarn audit command scans your project’s Node.js dependencies for known security vulnerabilities using the npm/GitHub advisory feeds and prints details like severity, affected package, path, and suggested fixes.
Q: How does yarn audit differ between Yarn 1.x and Yarn 4?
A: The difference is that Yarn 1.x uses yarn audit while Yarn 4 runs yarn npm audit; Yarn 4 leans on npm’s audit behavior and JSON handling, and lockfile generation/handling can vary by version.
Q: How do I run yarn audit and what flags should I know?
A: You run yarn audit (or yarn npm audit in Yarn 4); useful flags include –json, –level, –groups, and watching exit codes for CI. Typical use: yarn audit –json and parse results.
Q: What does yarn audit –json do and when should I use it?
A: The yarn audit –json option outputs machine-readable JSON, which you should use in CI pipelines or scripts to parse results, apply thresholds, and automate failing or creating tickets.
Q: How do I interpret the fields in yarn audit output?
A: The yarn audit output shows severity levels, package name, dependency path, installed vs patched versions, advisory ID and metadata, plus optional CVSS references for assessing risk and remediation priority.
Q: How do I fix vulnerabilities found by yarn audit?
A: You fix vulnerabilities by updating to patched versions, using patch-package if no upstream fix exists, replacing unmaintained deps, adjusting resolutions, then retesting and rerunning the audit.
Q: How should I integrate yarn audit into CI pipelines?
A: You should run yarn audit –json in CI, parse results (jq or script), fail builds on a chosen severity, schedule regular scans, and pair with auto-PR tools like Dependabot or Renovate for fixes.
Q: When should I use Snyk or other third-party tools with yarn audit?
A: You should add Snyk or similar when you want curated advisories, continuous monitoring, automated PRs, and scanning beyond Node.js packages (Docker, IaC), since yarn audit only reports raw advisory data.
Q: How does yarn audit behave in monorepos and workspaces?
A: The yarn audit command traverses the workspace dependency graph; lockfile setup (single versus per-workspace) affects results and remediation scope, so run audits where the consolidated lockfile lives.
Q: Why does yarn audit show false positives or miss advisories?
A: False positives or missing advisories come from advisory feed delays, GitHub DB gaps, private registries, network proxies, or offline environments—Yarn doesn’t curate or enrich advisory data.
Q: What do yarn audit exit codes mean and how do I fail builds on vulnerabilities?
A: Exit codes reflect vulnerability detection (non-zero on failures depending on flags); to fail builds, run yarn audit –json, parse severities, and exit non-zero when results exceed your defined threshold.