- [ ] I'd be willing to implement this feature
- [ ] This feature can already be implemented through a plugin
Describe the user story
We need the classic yarn audit in yarn2.
Describe the solution you'd like
yarn audit [--level info|low|moderate|high|critical]
Applying the level flag will limit the audit table to vulnerabilities of the corresponding level and above. It will not affect the exit code of the command.
yarn audit [--groups group_name ...]
Applying the groups flag will limit the audit table to vulnerabilities of the corresponding dependency groups (e.g dependencies,devDependencies).
Describe the drawbacks of your solution
Describe alternatives you've considered
Additional context
I don't know if this can implement via plugin or not.
Fonger
All 4 comments
The npm audit endpoint is still undocumented, and I don't want Yarn core to reverse engineer it.
I don't know if this can implement via plugin or not.
Yep, it definitely can, and should.
arcanis
on 11 Apr 2020
Sorry maybe I miss something. Why does yarn 1.x have this feature?
Fonger
on 11 Apr 2020
Because at the time we didn't have interfaces to allow for such features to be implemented outside the core. Now that we do, we don't need this to live in the core anymore.
arcanis
on 11 Apr 2020
I created a simple package (not plugin) for checking Yarn 2 dependencies: https://www.npmjs.com/package/@efrem/auditdeps.
It uses https://www.npmjs.com/advisories REST API.
I'm not sure if it should be implemented as plugin.
MrEfrem
on 29 May 2020
Related issues
dzintars
路
3Comments
joshmeads
路
4Comments
bradleyayers
路
3Comments
mormahr
路
3Comments
milichev
路
3Comments
Most helpful comment
I created a simple package (not plugin) for checking Yarn 2 dependencies: https://www.npmjs.com/package/@efrem/auditdeps.
It uses https://www.npmjs.com/advisories REST API.
I'm not sure if it should be implemented as plugin.