{"id":23004,"library":"yarn-osv-audit","title":"yarn-osv-audit","description":"A lightweight, zero-dependency CLI tool (v0.1.8, active development) that audits Yarn Classic (v1) lockfiles against the OSV.dev vulnerability database. It supports four output formats (compact, table, json, summary), config files, severity filtering, and allowlisting. Unlike npm audit or yarn audit, it uses the open-source OSV database and works with Yarn v1 lockfiles. Requires Node >=18. Released via GitHub Actions with npm provenance.","status":"active","version":"0.1.8","language":"javascript","source_language":"en","source_url":"https://github.com/duncanhoggan/yarn-osv-audit","tags":["javascript","yarn","audit","security","osv","vulnerability"],"install":[{"cmd":"npm install yarn-osv-audit","lang":"bash","label":"npm"},{"cmd":"yarn add yarn-osv-audit","lang":"bash","label":"yarn"},{"cmd":"pnpm add yarn-osv-audit","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The package is primarily a CLI tool; there is no programmatic API exported. Run the command directly after installing.","symbol":"yarn-osv-audit (CLI)","correct":"yarn-osv-audit"}],"quickstart":{"code":"mkdir -p /tmp/test-audit && cd /tmp/test-audit && echo '{\n  \"name\": \"test\",\n  \"version\": \"1.0.0\"\n}' > package.json && echo '# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.\n# yarn lockfile v1\n\nsemver@^7.5.2:\n  version \"7.5.2\"\n  resolved \"https://registry.yarnpkg.com/semver/-/semver-7.5.2.tgz#...\"\n  integrity sha512-...\n\nlodash@^4.17.21:\n  version \"4.17.21\"\n  resolved \"https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#...\"\n  integrity sha512-...' > yarn.lock && npx yarn-osv-audit","lang":"javascript","description":"Creates a minimal Yarn v1 project with a lockfile containing known vulnerable semver, then runs yarn-osv-audit to scan for vulnerabilities."},"warnings":[{"fix":"Upgrade Node to version 18 or later.","message":"Requires Node >=18. Older versions (e.g., Node 16) will crash.","severity":"breaking","affected_versions":">=0.1.0"},{"fix":"Use npm audit or yarn audit (v2) instead.","message":"Only supports Yarn v1 (Classic) lockfiles. Yarn v2/v3 (Berry) lockfiles are not supported.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Migrate to Yarn v3 or npm.","message":"Yarn v1 is itself deprecated and unmaintained. Using this tool only postpones migration to Yarn v3 or npm.","severity":"deprecated","affected_versions":">=0.1.0"},{"fix":"Use --offline or --cache options if available; otherwise accept network dependency.","message":"The tool fetches vulnerability data from osv.dev every time; no local caching of the database, resulting in slower runs in CI.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Use allowlist in config file to suppress known false positives.","message":"False positives possible: OSV database may include vulnerabilities that do not affect your environment (e.g., only exploitable on Windows).","severity":"gotcha","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Install locally: yarn add -D yarn-osv-audit","cause":"Global install not found or not in PATH.","error":"Error: Cannot find module 'yarn-osv-audit'"},{"fix":"Run yarn install or npm install","cause":"Missing package (local install).","error":"Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'yarn-osv-audit'"},{"fix":"Run the command in a directory containing a yarn.lock file, or specify --lockfile path","cause":"No yarn.lock file in current directory.","error":"Error: ENOENT: no such file or directory, open 'yarn.lock'"},{"fix":"Use one of: compact, table, json, summary","cause":"Unsupported output format specified.","error":"Error: Invalid format 'html'. Supported formats: compact, table, json, summary"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}