Snyk for Yarn
Feature availability Features may not be available, depending on your plan. See pricing plans for details.
Yarn Version / Feature
Snyk uses the Yarn lockfile (
yarn.lock) to generate representation of Project dependencies.
The files Snyk relies on to scan a Project may change on version upgrades of the package manager.Therefore Snyk lists only versions verified internally as supported.
If you are using a newer version of Yarn than is listed on this page, you may find Snyk performs as expected because Yarn is using a lockfile version that is already supported. That version of Yarn has likely not been evaluated and thus not been added to this page.
Snyk builds a dependency graph and then uses the vulnerability database to find vulnerabilities in any of the packages anywhere in that tree.
To scan your dependencies, ensure you install the relevant package manager, and that your Project contains the supported manifest files.
The way Snyk analyzes and builds the graph varies depending on the language and package manager of the Project, as well as the location of your Project.
For the ways you can scan Projects with Snyk, see Snyk CLI for Yarn projects and Git services for Yarn projects.
Snyk analyzes your
yarn.lockfiles to build a fully structured dependency tree. If the
yarn.lockis missing, Snyk analyzes your
To get started using the CLI for Yarn projects:
- Make sure Yarn is installed.
- Make sure you are in a directory with Yarn Project files, that is,
You can now test and monitor your Project using
For information about the
snyk testoptions available for use with Yarn, see Options for Yarn projects in the Test help. For the available
snyk monitoroptions, see Options for Yarn projects in the Monitor help.
Because different versions of Yarn have different feature sets, there are differences in Snyk support in order to best match how the package manager works.
Resolutions are supported in Yarn v2 only. Yarn v1 resolutions are not supported.
nohoistis not supported for Yarn Workspaces.
For Yarn Workspaces use the
--all-projectsflag to test and monitor your packages with other Projects or
--yarn-workspacesto specifically scan Yarn Workspaces Projects only. The root lock file is referenced when scanning all the packages. Use the
--detection-depthoption to find sub-folders that are not auto-discovered by default.
snyk test --all-projects --strict-out-of-sync=false --detection-depth=6scans the packages that belong to any discovered workspaces in this directory and five sub-directories deep, as well as any other Projects detected.
snyk test --yarn-workspaces --strict-out-of-sync=false --detection-depth=6scans only the Yarn Workspace packages that belong to any discovered workspaces in this directory and five sub-directories deep.
You may use a common
.snykpolicy file if you maintain ignores and patches in one place to be applied for all detected workspaces by using the policy path:
snyk test --all-projects --strict-out-of-sync=false --policy-path=src/.snyk
Yarn Projects can be imported from any of the Git services Snyk supports. After import, Snyk analyzes your Projects based on their supported manifest files.
Snyk scans based on these files being present:
For Yarn Workspaces, only the
package.jsonfile is updated for Snyk fix PRs. The
yarn.lockfile is not updated.
In Yarn V2 the zero-installs feature was released, which allowed Yarn developers to work on a project without having to run
yarnto install dependencies on their machine. It achieved this by installing all the dependencies of a project inside of the
.yarn/cachedirectory and asking users to commit this to their version control system - allowing the next developer to pull any new dependencies directly from the repo.
If you are using the zero-installs feature, any Snyk fix PRs do not update the .yarn/cache directory. You must run
yarnto update this directory.
Scan and fix devDependencies
If this is selected, Snyk reads the "devDependencies" property on the
Require package.json and yarn.lock to be in sync
When this is selected, if the
Exclude yarn.lock from being generated when fixing vulnerabilities
If you are using private mirrors or registries, a Snyk-generated lock file might not be appropriate for you because Snyk uses the npm registry to update the lockfile. This setting allows you to opt out of getting lockfiles generated for you in Snyk fix pull requests and merge requests.
- 1.Log in to your account and navigate to the relevant Group and Organization that you want to manage.
- 2.Select Settings > Languages