yarn-audit-fix incorrectly reports "Audit check found no issues"

aaronmccall commented 1 year ago

When I run npx yarn-audit-fix from the root of my project I see the following output:

~/Projects/phytochrome-web-ui [fix/230530_audit-deps-updates L|✚ 2⚑ 4] 
13:37 $ npx yarn-audit-fix
Resolve bins
Runtime digest

  isMonorepo false
  bins 
    yarn yarn
    npm npm

  versions 
    node v16.16.0
    npm 8.11.0
    yarn 1.22.19
    yaf 9.3.10
    yafLatest 9.3.10

  temp /Users/aaronmccall/Projects/phytochrome-web-ui/node_modules/.cache/yarn-audit-fix/735b3b381d052b6a3384e038fcde4204
  cwd /Users/aaronmccall/Projects/phytochrome-web-ui
  flags 
    flow patch
    npm-path system
    dry-run true

Verifying package structure...
Preparing temp assets...
Patching yarn.lock with audit data...
invoke yarn audit --json
Audit check found no issues
Installing deps update...
invoke yarn install --update-checksums
yarn install v1.22.19
[1/4] 🔍  Resolving packages...
warning Resolution field "ramda@0.28.0" is incompatible with requested version "ramda@^0.27.2"
warning Resolution field "ramda@0.28.0" is incompatible with requested version "ramda@^0.27.1"
success Already up-to-date.
✨  Done in 0.52s.
Done

When I run yarn audit, I see (snipped for brevity):

41 vulnerabilities found - Packages audited: 1687
Severity: 6 Moderate | 34 High | 1 Critical
✨  Done in 2.08s.

P.S. I updated node/npm to v18.16.0/v9.5.1 and had the same result.

antongolub commented 1 year ago

Hey, @aaronmccall,

Could you attach a minimal pkg.json and yarn.lock which reproduces the isseu?

aaronmccall commented 1 year ago

Sure thing, @antongolub. See attached. package-redacted.json.txt yarn.lock.txt

stereodenis commented 11 months ago

same issue for me

antongolub / yarn-audit-fix

yarn-audit-fix incorrectly reports "Audit check found no issues" #294