yarn audit: Option to show deprecated packages while failing only on insecure packages #6963
Description
Hi,
I want to be notified of deprecated packages, but treat them as warnings, not errors. Currently, the yarn audit configuration system is too simple; black and white. The only option is to fail on deprecated packages, or hide them entirely from reports.
A more flexible option like --warn-on-deprecated is important to help developers manage projects large and small. This way, all developers gain visibility into risky packages, while continuing to focus on CVE resolution. Always show deprecations. Maintain a successful exit code, UNLESS a CVE is found, OR (deprecated package is found AND --warn-on-deprecated is turned off (default)).
As a workaround, users can dump JSON and manipulate it. But that's way too much effort for the average coder, sucking valuable time away from developing their app to juggle low level cybersecurity minutiae.
By the way, npm audit fails to report many unmaintained packages like boolean, compared to yarn npm audit --all --recursive. Someone should nudge them to align deprecated package data with yarn. The hundred odd inconsistencies between these package managers is maddening.