This command checks selected npm packages against advisory data from the configured audit registry. Advisory relevance depends on how the package is used in your project.

For consistency with our other commands the default is to only check the direct dependencies for the active workspace. To extend this search to all workspaces, use -A,--all. To extend this search to both direct and transitive dependencies, use -R,--recursive.

Applying the --severity flag will limit the audit table to vulnerabilities of the corresponding severity and above. Valid values are info, low, moderate, high, and critical.

If the --json flag is set, Yarn will print the output exactly as received from the registry. Regardless of this flag, the process will exit with a non-zero exit code if a report is found for the selected packages.

If certain packages produce false positives for a particular environment, the --exclude flag can be used to exclude any number of packages from the audit. This can also be set in the configuration file with the npmAuditExcludePackages option.

If particular advisories are needed to be ignored, the --ignore flag can be used with Advisory ID’s to ignore any number of advisories in the audit report. This can also be set in the configuration file with the npmAuditIgnoreAdvisories option.

To understand the dependency tree requiring vulnerable packages, check the raw report with the --json flag or use yarn why <package> to get more information as to who depends on them.

Audit direct dependencies from all workspaces

Include transitive dependencies in the audit

Dependency environment to audit (all, production, or development)

Format the output as an NDJSON stream

Omit deprecation warnings from the audit request

Minimum advisory severity to display (info, low, moderate, high, or critical)

Package name glob patterns to exclude from the audit

Advisory ID glob patterns to ignore in the audit report