Fails to generate report with Yarn 2

[balovbohdan]

Yarn version: 2.4.2

Command:

yarn audit --json --environment production | yarn dlx yarn-audit-html --output audit/yarn-audit.html

Error:

package.json

{
  "name": "app",
  "version": "0.0.1",
  "description": "app",
  "scripts": {
    "start": "webpack serve --progress --env development"
  },
  "jest-junit": {
    "outputDirectory": "reports/test",
    "outputName": "junit.xml"
  },
  "moduleRoots": [
    "src"
  ],
  "license": "UNLICENSED",
  "engines": {
    "node": ">=14.5.0"
  },
  "devDependencies": {
    "@babel/core": "^7.11.6",
    "@babel/eslint-parser": "^7.11.5",
    "@babel/plugin-proposal-export-default-from": "^7.12.13",
    "@babel/preset-env": "^7.14.2",
    "@babel/preset-react": "^7.13.13",
    "@commitlint/cli": "^12.1.4",
    "@commitlint/config-conventional": "^12.1.4",
    "@types/react": "^16.9.19",
    "azure-storage": "^2.10.3",
    "babel-jest": "^26.1.0",
    "babel-loader": "^8.2.2",
    "babel-plugin-transform-react-remove-prop-types": "^0.4.24",
    "concurrently": "^6.2.0",
    "copy-webpack-plugin": "^9.0.0",
    "css-loader": "^5.2.6",
    "cssnano": "^5.0.4",
    "dotenv": "^10.0.0",
    "enzyme": "^3.11.0",
    "enzyme-adapter-react-16": "^1.15.6",
    "enzyme-to-json": "^3.6.2",
    "eslint": "^7.27.0",
    "eslint-config-airbnb": "^18.2.1",
    "eslint-import-resolver-webpack": "^0.13.1",
    "eslint-plugin-compat": "^3.9.0",
    "eslint-plugin-graphql": "^4.0.0",
    "eslint-plugin-import": "^2.23.3",
    "eslint-plugin-jest": "^24.3.6",
    "eslint-plugin-json": "^3.0.0",
    "eslint-plugin-jsx-a11y": "^6.4.1",
    "eslint-plugin-react": "^7.23.2",
    "eslint-plugin-react-hooks": "^4.2.0",
    "eslint-plugin-unicorn": "^33.0.1",
    "html-webpack-plugin": "^5.3.1",
    "husky": "^6.0.0",
    "identity-obj-proxy": "^3.0.0",
    "jest": "^27.0.4",
    "jest-junit": "^12.1.0",
    "jest-localstorage-mock": "^2.4.13",
    "jest-transform-graphql": "^2.1.0",
    "mini-css-extract-plugin": "^1.6.0",
    "npmlog": "^4.1.2",
    "postcss": "^8.3.0",
    "postcss-import": "^14.0.2",
    "postcss-loader": "^6.1.0",
    "postcss-preset-env": "^6.7.0",
    "style-loader": "^2.0.0",
    "stylelint": "^13.13.1",
    "stylelint-config-css-modules": "^2.2.0",
    "stylelint-config-standard": "^22.0.0",
    "stylelint-no-unsupported-browser-features": "^5.0.1",
    "terser-webpack-plugin": "^5.1.3",
    "webpack": "^5.38.1",
    "webpack-cli": "^4.7.0",
    "webpack-deadcode-plugin": "^0.1.14",
    "webpack-dev-server": "^4.0.0-beta.3",
    "webpack-dotenv-plugin": "^2.1.0",
    "yarn-deduplicate": "^3.1.0"
  },
  "dependencies": {
    "@apollo/client": "^3.3.20",
    "axios": "^0.21.1",
    "classnames": "^2.2.6",
    "core-js": "^3.13.0",
    "coveralls": "^3.0.6",
    "graphql": "^15.5.0",
    "graphql-tag": "^2.10.3",
    "history": "^4.10.1",
    "minicat": "^1.0.0",
    "moment": "^2.24.0",
    "prop-types": "^15.7.2",
    "qs": "^6.7.0",
    "ramda": "^0.27.1",
    "react": "^16.14.0",
    "react-dom": "^16.14.0",
    "react-redux": "^7.1.3",
    "react-router-dom": "^5.2.0",
    "redux": "^4.0.5",
    "redux-form": "^8.3.0",
    "redux-thunk": "^2.3.0",
    "url-regex": "^5.0.0",
    "uuid": "^8.3.2",
    "validator": "^13.6.0"
  },
  "resolutions": {
    "typescript": "*",
    "react-with-direction": "*",
    "@babel/runtime": "*"
  }
}

[davityavryan]

Thanks @balovbohdan for report. Can you please provide package.json and yarn.lock files please. remove anything that is sensitive. I am only interested in dependency sections.

[balovbohdan]

Thanks @balovbohdan for report. Can you please provide package.json and yarn.lock files please. remove anything that is sensitive. I am only interested in dependency sections.

Added package.json to the issue description. So, what about yarn.lock? It is rather long. Maybe it is possible to generate it using package.json I attached?

[davityavryan]

@balovbohdan it is possible but it will not be your lock file. maybe issue will be there, maybe not.

[davityavryan]

@balovbohdan I just noticed that you are using Yarn v2. it is not supported yet by this package. I am planning to work on it soon though. will keep your issue open and then report you back when it will be done ;)

[balovbohdan]

@balovbohdan I just noticed that you are using Yarn v2. it is not supported yet by this package. I am planning to work on it soon though. will keep your issue open and then report you back when it will be done ;)

I see. Thanks.

[davityavryan]

If there is no much difference for you for now. then you can switch to v1 by yarn set version latest. ;)

[balovbohdan]

If there is no much difference for you for now. then you can switch to v1 by yarn set version latest. ;)

I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it 😃

[davityavryan]

I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it 😃

Understandable. ok sure. I will back to you soonish (technically it should not be difficult to support, it's just my own time management issue. Will do my best to fix it ASAP) ;)

[balovbohdan]

I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it 😃

Understandable. ok sure. I will back to you soonish (technically it should not be difficult to support, it's just my own time management issue. Will do my best to fix it ASAP) ;)

Cool. Thanks a lot.

[briggsge]

The below function should do the trick. Seems like the new yarn npm audit is in one line for the example I have and there is a new way to access the same report information.

const parseAdvisoryYarn2 = (auditAdvisory) => {
    const advisoryKeys = Object.keys(auditAdvisory.advisories);
    const vulnerabilities = {};

    advisoryKeys.forEach((advisoryKey) => {
        let advisory = auditAdvisory.advisories[advisoryKey];

        advisory.findings.forEach((finding) => {
            const version = finding.version;
            const key = `${advisory.module_name}@${version}.${advisory.cwe}`;

            advisory.key = key;
            advisory.version = finding.version;

            if (!(key in vulnerabilities)) {
                advisory.paths = finding.paths;

                vulnerabilities[key] = { ...advisory };
            }
        });
    });

    Object.entries(vulnerabilities).forEach(([key, vulnerability]) => {
        vulnerabilities[key].paths = Array.from(new Set(vulnerability.paths));
    });

    return Object.values(vulnerabilities);
};

I added a likely faulty else if(...) statement in index.js

else if (lines.length === 1 && lines[0].trim().replace(/\s/g, '') !== '') {
  const tick = lines.toJSON();

  const newVulnerabilities = parseAdvisoryYarn2(tick);

  newVulnerabilities.forEach((newVulnerability) => {
      const key = newVulnerability.key;

      if (!vulnerabilities.has(key)) {
          vulnerabilities.set(key, newVulnerability);
      }
  });

  summary = tick.metadata;
}

Example report

Would be best to try parsing the file contents first and evaluating the resulting object to determine which decoder to use for backwards compatibility I believe, but I have a very limited example to go from.

[davityavryan]

The below function should do the trick. Seems like the new yarn npm audit is in one line for the example I have and there is a new way to access the same report information.

Thanks @briggsge. As per your suggestion I am planning to release(soon) support for all stable yarn versions. So kudos to you 🙃

[davityavryan]

Newly released version 6.1.0 already supports yarn v1+