Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm trying to solve some security vulnerabilities that github is reviewing in my code. All the ones left are defined in yarn.lock file. How do i update the yarn.lock so the dependencies are up to date?
Well you need to look what dependency is having security issues. Then you need to figure out what dependency is using that dependency. You can then run yarn why <dependency>. This way you can see what the parent package is.
Run yarn upgrade to update all dependencies. This might even fix everything for you in one go!
Also just running yarn outdated helps a lot. It shows all the dependencies that have a newer version. Upgrading those might already solve your issue.
This is a stupid question but, i have never used yarn. I think the yarn.lock files is installed when i run npm install. I try to run yarn upgrade and the bash window could not find yarn. Do i have to install yarn too?
Yeah yarn is a separated tool. If you have npm, you can use that as well. However since you already have a yarn.lock file I would stick to yarn ;)
Documentation: https://yarnpkg.com/lang/en/docs/install
thanks @
And stick to using just one (npm, or yarn). Don't be installing packages with npm, and then upgrading them with yarn, etc. Install with one, upgrade with the same one, etc. Don't mix their usage.
I don't think, at least on the project that i got the security alert, that i ever used npm to install any package. After i create the laravel project i run npm install and then npm run-dev to compile scss and any js that i have modified. I normally use composer to install any packages that i may need for the project. So i'm a little confused (sorry if this is way basic), is there an "yarn run-dev" and one for production?
Yarn is basically the same as npm, but just a bit faster. It's doing the same things, but just in a different more efficient way.
Anyway, if you started with npm I would stick to npm and remove any references to yarn. If you want to use yarn instead, use that and remove all references to npm.
So for yarn you need package.json and yarn.lock. For npm you need package.json and package-lock.json
For installing you either run yarn or npm install
For compiling you either run yarn dev or npm run dev and so on
ok, understand. Thanks very much.
Laravel ships with a yarn.lock file.
If you don't use yarn then you can safely delete it.
Github is only warning that you have a specific package version listed in yarn.lock that has a security vulnerability.
@snapey thanks, i just did.
Please or to participate in this conversation.