I'm looking for a way to audit dependencies for vulnerabilities in Yarn 2. In Yarn 1.x it was possible the same was as in npm, by running yarn audit instead of npm audit. But with Yarn 2 there is no such command. And according to this issue on the berry github, it won't be implemented (project maintainers prefer it was done via plugin).

I have tried running npm install --package-lock-only && npm audit but the install chokes on some of my local packages (which I am listing in package.json using the link: url type).

It wouldn't be a complex plugin to build and I'm up for some fun doing so, but it would not be so muchfun as just installing something and then going about my day. I have looked around but always end up at the same couple of vapourware / abandonware repos.

But I still guess that I'm just not finding them. Or there's an undocumented trick for making it easy. Hence my question :)

PS, yeah I can delete the local packages using link: temporarily while I run the npm install and npm audit commands above, but it's not exactly the kind of thing I want to try and automate for CI.

Update (28-Oct-2020):
Yarn 2 just merged long-awaited yarn npm audit enhancement.

PR - https://github.com/yarnpkg/berry/pull/1892
Docs - https://yarnpkg.com/cli/npm/audit

I was experimenting with Yarn 2 recently, and I saw that you can do this with @efrem/auditdeps utility:

yarn dlx @efrem/auditdeps [--level=(low|moderate|high|critical)] [--production]

The output is not as pretty as from npm audit, but you get more details in JSON format and you can pipe it to other tools or to any custom reformatting script to get exactly what you want.

I'd try https://snyk.io/ not free for huge team commercial use, but it could get you started on daily runs etc.

( I'm not affiliated in any way with Snyk.io )