yarn-osv-audit

0.1.8 verified Mon Apr 27 auth: no javascript

A lightweight, zero-dependency CLI tool (v0.1.8, active development) that audits Yarn Classic (v1) lockfiles against the OSV.dev vulnerability database. It supports four output formats (compact, table, json, summary), config files, severity filtering, and allowlisting. Unlike npm audit or yarn audit, it uses the open-source OSV database and works with Yarn v1 lockfiles. Requires Node >=18. Released via GitHub Actions with npm provenance.

Common errors

error Error: Cannot find module 'yarn-osv-audit' ↓

cause Global install not found or not in PATH.

fix

Install locally: yarn add -D yarn-osv-audit

error Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'yarn-osv-audit' ↓

cause Missing package (local install).

fix

Run yarn install or npm install

error Error: ENOENT: no such file or directory, open 'yarn.lock' ↓

cause No yarn.lock file in current directory.

fix

Run the command in a directory containing a yarn.lock file, or specify --lockfile path

error Error: Invalid format 'html'. Supported formats: compact, table, json, summary ↓

cause Unsupported output format specified.

fix

Use one of: compact, table, json, summary

Warnings

breaking Requires Node >=18. Older versions (e.g., Node 16) will crash. ↓

fix Upgrade Node to version 18 or later.

gotcha Only supports Yarn v1 (Classic) lockfiles. Yarn v2/v3 (Berry) lockfiles are not supported. ↓

fix Use npm audit or yarn audit (v2) instead.

deprecated Yarn v1 is itself deprecated and unmaintained. Using this tool only postpones migration to Yarn v3 or npm. ↓

fix Migrate to Yarn v3 or npm.

gotcha The tool fetches vulnerability data from osv.dev every time; no local caching of the database, resulting in slower runs in CI. ↓

fix Use --offline or --cache options if available; otherwise accept network dependency.

gotcha False positives possible: OSV database may include vulnerabilities that do not affect your environment (e.g., only exploitable on Windows). ↓

fix Use allowlist in config file to suppress known false positives.

Install

npm install yarn-osv-audit

yarn add yarn-osv-audit

pnpm add yarn-osv-audit

Imports

yarn-osv-audit (CLI)
```
yarn-osv-audit
```
The package is primarily a CLI tool; there is no programmatic API exported. Run the command directly after installing.

Quickstart

Creates a minimal Yarn v1 project with a lockfile containing known vulnerable semver, then runs yarn-osv-audit to scan for vulnerabilities.

mkdir -p /tmp/test-audit && cd /tmp/test-audit && echo '{
  "name": "test",
  "version": "1.0.0"
}' > package.json && echo '# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1

semver@^7.5.2:
  version "7.5.2"
  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.2.tgz#..."
  integrity sha512-...

lodash@^4.17.21:
  version "4.17.21"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#..."
  integrity sha512-...' > yarn.lock && npx yarn-osv-audit