Support Yarn v4 - Githubissues

IBM / audit-ci

Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories

Apache License 2.0

255 stars 41 forks source link

Support Yarn v4 #332

Open mistaecko opened 1 month ago

mistaecko commented 1 month ago

Running audit-ci with yarn 4.1.1 is broken, and does not report vulnerabilities at all.

It seems that v4 introduced major changes to the json output format of yarn npm audit that break audit-ci.

Example output in a project with vulnerabilities:

$ npx audit-ci
audit-ci version: 6.6.1
Yarn Berry audit report results:
undefined
undefined
[truncated]
undefined
undefined
Passed yarn security audit.

I updated one of the existing tests in test/yarn-berry-moderate to use yarn 4, and it (obviously) fails.

quinnturner commented 1 month ago

I am definitely interested in supporting this. I have some draft PRs that touch on adding test cases. I hope to release support in audit-ci v7.

quinnturner commented 4 weeks ago

After further investigation, Yarn v4 seems to support many of audit-ci's features directly: documentation on yarn npm audit.

With the recently released audit-ci v7, I decided not to support Yarn v4 out of the gate because I wanted to see feedback from the community before investing the time into supporting it.

The main functional gap in Yarn v4's implementation is that it doesn't support audit-ci'sNSPRecord` feature, which allows you to set advisories' expiry.

In the meantime, I've documented that Yarn v4 is not supported in the README. Accordingly, I am removing the bug label.

If you're still interested in supporting it, let me know!

hwo411 commented 4 weeks ago

+1 for this

quinnturner commented 4 weeks ago

@hwo411 I am open to supporting it, it's not a ton of work. Have you tried using Yarn v4's native audit management with allowlists? If you have and you have found a gap that audit-ci fills well, I am interested!

mistaecko commented 3 weeks ago

@quinnturner I haven't explored yarn 4's npm audit in detail yet. What immediately stood out to me though was the lack of a file-based configuration and ignore list. Of course, creating a wrapper script around the native yarn audit which provides that functionality is not a huge lift, but still something that needs to be documented, maintained, and published (or copy/pasted ugh).

audit-ci provides a nice abstraction across different package managers (and their versions). It enables a consistent mechanism to configure and manage audits in an org with a large number of repos that are - for various reasons - using different package managers and versions.

hwo411 commented 3 weeks ago

@quinnturner thanks!

It's very well explain by @mistaecko what are the downsides of the npm audit/yarn audit. I think it's quite inconvenient if you need to switch the tool if you decide to start with or migrate to yarn v4 + you need to implement missing features yourself.