Yarn audit and autoclean commands

Last update on August 19 2022 21:50:32 (UTC/GMT +8 hours)

In this tutorial we will introduce you to yarn audit and autoclean commands.

Yarn audit

The yarn audit command checks for vulnerabilities in your installed packages.

yarn audit [--verbose] [--json] [--level]

The command above will check for known security issues with your installed packages.

The output will be a list of known issues.

For you to perform an audit, you have to be online. If you are offline, the audit will be skipped.

The audit command exits with a non-0 exit code if there are issues of any severity found. Here is what the exit codes represent:

1 for INFO
2 for LOW
4 for MODERATE
8 for HIGH
16 for CRITICAL

Take for example if yarn audit found only LOW and MODERATE vulnerabilities were found, then the exit code will be 2+4 =6. Yarn audit also supports the - -json flag for scripting purposes. This flag outputs the details for the issues in JSON-lines format (one JSON object per line) rather than plain text.

If you experience issues with the audit command, you will need to run the yarn audit - -verbose from your command line. This outputs the JSON data that yarn sends to the npm registry as well as the response data, then it will open an issue on GitHub that includes the data.

Commands

yarn audit [--level info|low|moderate|high|critical]

The level limits the audit table to vulnerabilities to the corresponding level and above. It does not affect the exit code of the command.

Yarn autoclean

The autoclean command will remove unnecessary file from package dependencies.

yarn autoclean [-I/--init] [-F/--force]

The autoclean command will free up space by removing the files and folders that are unnecessary from your dependencies. It will reduce the number of files that are in the node_modules folder of your project. This is useful in an environment where packages are checked directly into version control.

It should be noted that this command is considered for advanced use cases only. Using this command is not recommended unless you are experiencing issues with the amount of files that are installed as part of node_module. It deletes files in node_modules folder which could cause packages to stop working.

The autoclean functionality is disabled by default. If you want to enable it, you can manually create a .yarnclean file, or you run yarn autoclean - -init from the command line to create the file with default entries.

Autoclean functionality will be fully enabled whenever the .yarnclean file exists in a package. This clean will be performed:

After an install
After an add
If yarn autoclean --force is run

Options

Here are some options available to yarn autoclean.

-I/--init : This option creates the .yarnclean file if it does not exist, and then it adds the default entries. It is recommended that you review this file and edit it, to customize which files are to be cleaned. If the .yarnclean file already exists, it is not overwritten.

-F/--force : If there is a .yarnclean file, run the clean process else, do nothing.

Defaults:

When you use the yarn autoclean --init command to create a .yarnclean file, it is pre-populated with a set of default items for deletion. This default list is a guess at what might not needed. It is impossible to predict all files and directories that are unnecessary for all existing and future NPM packages, so this default list could cause a package to no longer work.

It is recommended that you review the default entries in .yarnclean manually and customize them to suit your needs.

If the autoclean process is deleting files that are needed for a package to work properly, you should remove the corresponding entry from the .yarnclean file.

Example:

If you decide that all YAML and Markdown files in all your dependencies installed in node_modules can be safely deleted. You make a .yarnclean file that contains:

*.yaml

*.md

Then you will have to run yarn install or yarn autoclean -force from the command line. Now, the clean process deletes all *.yaml and *.md files that is within node_modules/ recursively (including nested transitive dependencies).

Previous: Yarn add
Next: Yarn bin and cache commands