Open mistaecko opened 1 month ago
I am definitely interested in supporting this. I have some draft PRs that touch on adding test cases. I hope to release support in audit-ci
v7.
After further investigation, Yarn v4 seems to support many of audit-ci
's features directly: documentation on yarn npm audit.
With the recently released audit-ci
v7, I decided not to support Yarn v4 out of the gate because I wanted to see feedback from the community before investing the time into supporting it.
The main functional gap in Yarn v4's implementation is that it doesn't support audit-ci's
NSPRecord` feature, which allows you to set advisories' expiry.
In the meantime, I've documented that Yarn v4 is not supported in the README
. Accordingly, I am removing the bug
label.
If you're still interested in supporting it, let me know!
+1 for this
@hwo411 I am open to supporting it, it's not a ton of work. Have you tried using Yarn v4's native audit management with allowlists? If you have and you have found a gap that audit-ci
fills well, I am interested!
@quinnturner I haven't explored yarn 4's npm audit
in detail yet. What immediately stood out to me though was the lack of a file-based configuration and ignore list. Of course, creating a wrapper script around the native yarn audit which provides that functionality is not a huge lift, but still something that needs to be documented, maintained, and published (or copy/pasted ugh).
audit-ci
provides a nice abstraction across different package managers (and their versions). It enables a consistent mechanism to configure and manage audits in an org with a large number of repos that are - for various reasons - using different package managers and versions.
@quinnturner thanks!
It's very well explain by @mistaecko what are the downsides of the npm audit
/yarn audit
. I think it's quite inconvenient if you need to switch the tool if you decide to start with or migrate to yarn v4 + you need to implement missing features yourself.
Running
audit-ci
withyarn 4.1.1
is broken, and does not report vulnerabilities at all.It seems that v4 introduced major changes to the json output format of
yarn npm audit
that breakaudit-ci
.Example output in a project with vulnerabilities:
I updated one of the existing tests in
test/yarn-berry-moderate
to use yarn 4, and it (obviously) fails.