Closed marina-mosti closed 1 year ago
mclack
commented
1 year ago Hi @marina-mosti
So far I've been unable to reproduce this vulnerability report.
Can you please confirm what version of yarn you were using when you performed this yarn audit? Any other additional reproduction steps you can provide would also be useful for us to know in order to reproduce and investigate this.
marina-mosti
commented
1 year ago Hey @mclack thanks for the reply, yeah I'm not entirely sure what yarn audit is doing internally but I just ran it directly on your codebase and it definitely doesn't show up. However, if you run npm audit you can see it:
mclack
commented
1 year ago Hi @marina-mosti
After investigating this some more, the vulnerability seems to come from a dependency of a dev dependency (Jest). This means that it won’t get installed or used when installing the source-maps package using npm install @bugsnag/source-maps.
I imagine you’re seeing this by cloning our repo and installing all of the dependencies including the dev dependencies, which wouldn’t usually get installed.
As this is not a vulnerability that should be affecting any users using the library, this probably isn’t something we’ll be able to update too soon. However, it is on our radar that there are some dependencies we want to fix.
I hope that all makes sense. Please let us know if you have any other questions, otherwise we will close this issue out for the time being.
marina-mosti
commented
1 year ago Hi @mclack. Thanks so much for taking the time to investigate, I'm truly surprised at false positive from yarn audit and the gap between reports between it and the npm audit tools.
Describe the bug
The
read-pkg-upversion used for this lib has a deep dep that has currently a moderate warning for possible DOS. Any chance you can update it? :) The latest versions useread-pkg5+ which seems to have a more recent version without the issueSteps to reproduce
yarn auditEnvironment
Example Repo
Example code snippet
Error messages:
``` ```