@og_soft/yarn-audit-wrapper

Yarn 4+ wrapper around yarn npm audit, compatible with improved-yarn-audit config (.iyarc) and the --groups flag.

Install & build

• From repo root: yarn install
• Build: yarn nx build yarn-audit-wrapper

CLI usage

• Prod only: yarn-audit-wrapper --groups=prod
• Prod + dev + peer: yarn-audit-wrapper --groups=prod,dev,peer
• Help: yarn-audit-wrapper --help
• Flags:
  • --severity=<low|moderate|high|critical>
  • --exclude=<id1,id2> (repeatable: --exclude id1 --exclude id2)
  • --groups=<prod|prod,dev,peer>
• Exit codes: 0 no relevant findings, 1 relevant advisories found, 2 error or Yarn <4

.iyarc format

Free-form text with #/// comments. Put each advisory ID on its own line:

# ignored advisories
GHSA-1234-abcd-efgh
glob (deprecation)

Programmatic API

import { runYarnAudit, filterAdvisories, loadConfig } from '@og_soft/yarn-audit-wrapper';

const config = await loadConfig(process.cwd());
const { advisories } = await runYarnAudit('prod,dev');
const relevant = filterAdvisories(advisories, {
  severityThreshold: config.severity ?? 'low',
  excludeIds: new Set(config.exclude),
});
console.log(relevant);