npm audit versus yarn audit

Question

I have a React Native project (0.61.4) that uses yarn as its package manager.

When I run yarn audit a huge number of vulnerabilities are reported:

18202 vulnerabilities found - Packages audited: 958823
Severity: 18202 High
✨  Done in 14.34s.

Most are in some very deep dependency paths. For instance:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-native > @react-native-community/cli >                 │
│               │ metro-react-native-babel-transformer > @babel/core > lodash  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1065                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

When I run npm audit , it first reports:

Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile

So I run:

npm i --package-lock-only

A package-lock.json file is generated. On inspection this file seems correct.

When I now run npm audit , the results are:

=== npm audit security report ===                        

found 0 vulnerabilities

I don't understand the discrepancy between these two package managers. Why does npm report 0 errors, and yarn 18.202?

Answer 1

It's very hard to estimate why is this happening without looking at both the lock files and comparing. But, as far as I can tell, it can happen only if both the lock files are resolving to different versions of same dependencies.
Your yarn.lock file was generated earlier, thus it contains vulnerable and old versions of dependencies and since the package-lock.json was generated afterwards, it would have resolved to latest/fixed versions of those dependencies.

Remember that npm i --package-lock-only would just create the package-lock.json file, not install anything, but it won't be at-par with the actual installed packages. I think you assumed that running that command would just derive the lock file from installed packages, but it actually generates the lock file as if you ran it without the flag.

So in conclusion, both the lock files are resolving to different (minor/patch)versions of same dependencies.