Closed balovbohdan closed 1 year ago
Thanks @balovbohdan for report. Can you please provide package.json and yarn.lock files please. remove anything that is sensitive. I am only interested in dependency sections.
Thanks @balovbohdan for report. Can you please provide package.json and yarn.lock files please. remove anything that is sensitive. I am only interested in dependency sections.
Added package.json
to the issue description. So, what about yarn.lock
? It is rather long. Maybe it is possible to generate it using package.json
I attached?
@balovbohdan it is possible but it will not be your lock file. maybe issue will be there, maybe not.
@balovbohdan I just noticed that you are using Yarn v2. it is not supported yet by this package. I am planning to work on it soon though. will keep your issue open and then report you back when it will be done ;)
@balovbohdan I just noticed that you are using Yarn v2. it is not supported yet by this package. I am planning to work on it soon though. will keep your issue open and then report you back when it will be done ;)
I see. Thanks.
If there is no much difference for you for now. then you can switch to v1 by yarn set version latest
. ;)
If there is no much difference for you for now. then you can switch to v1 by
yarn set version latest
. ;)
I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it š
I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it š
Understandable. ok sure. I will back to you soonish (technically it should not be difficult to support, it's just my own time management issue. Will do my best to fix it ASAP) ;)
I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it š
Understandable. ok sure. I will back to you soonish (technically it should not be difficult to support, it's just my own time management issue. Will do my best to fix it ASAP) ;)
Cool. Thanks a lot.
The below function should do the trick. Seems like the new yarn npm audit is in one line for the example I have and there is a new way to access the same report information.
const parseAdvisoryYarn2 = (auditAdvisory) => {
const advisoryKeys = Object.keys(auditAdvisory.advisories);
const vulnerabilities = {};
advisoryKeys.forEach((advisoryKey) => {
let advisory = auditAdvisory.advisories[advisoryKey];
advisory.findings.forEach((finding) => {
const version = finding.version;
const key = `${advisory.module_name}@${version}.${advisory.cwe}`;
advisory.key = key;
advisory.version = finding.version;
if (!(key in vulnerabilities)) {
advisory.paths = finding.paths;
vulnerabilities[key] = { ...advisory };
}
});
});
Object.entries(vulnerabilities).forEach(([key, vulnerability]) => {
vulnerabilities[key].paths = Array.from(new Set(vulnerability.paths));
});
return Object.values(vulnerabilities);
};
I added a likely faulty else if(...)
statement in index.js
else if (lines.length === 1 && lines[0].trim().replace(/\s/g, '') !== '') {
const tick = lines.toJSON();
const newVulnerabilities = parseAdvisoryYarn2(tick);
newVulnerabilities.forEach((newVulnerability) => {
const key = newVulnerability.key;
if (!vulnerabilities.has(key)) {
vulnerabilities.set(key, newVulnerability);
}
});
summary = tick.metadata;
}
Example report
Would be best to try parsing the file contents first and evaluating the resulting object to determine which decoder to use for backwards compatibility I believe, but I have a very limited example to go from.
The below function should do the trick. Seems like the new yarn npm audit is in one line for the example I have and there is a new way to access the same report information.
Thanks @briggsge. As per your suggestion I am planning to release(soon) support for all stable yarn versions. So kudos to you š
Newly released version 6.1.0 already supports yarn v1+
Yarn version: 2.4.2
Command:
Error:
package.json