getting error on build ci/cd

[JustFly1984]

yarn run v1.22.4
$ lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https
detected invalid host(s) for package: request@cypress-io/request#b5af0d1fa47eec97ba980cde90a13e69a2afcd16
    expected: registry.yarnpkg.com
    actual: codeload.github.com

error: command failed with exit code 1 

error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
##[error]Process completed with exit code 1.

is it false positive? how can I fix it? have tried to clear cache, node_modules and regenerate yarn.lock

Our build pipeline is broken. Please provide an advise.

[lirantal]

hmm, interesting. Can you share the lockfile that caused this so we can test?

[lirantal]

@JustFly1984 if I have to assume it seems like you have a package there installed from github directly, where as in the hosts you are only allowing packages fetched from the yarn registry mirror. Is this what is happening?

If you wanted to whitelist all of github as a trusted source of packages:

lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https

[JustFly1984]

I got the solution, but I do not consider github as safe source of direct dependencies at this moment. The issue is that I would not like dependencies of subdependencies to source from github directly. It is suspicious that cypress has this published in 4.2.0 version. I’ve cross linked issues in cypress repo

[lirantal]

So sounds like you indeed found a situation with that dependencies and best to check with the direct parent of it. Can you share the github issue link? I'll be happy to follow up on it and also get the context for it.

[XhmikosR]

https://github.com/cypress-io/cypress/issues/6785

@lirantal I think you can close the issue 🙂

[lirantal]

Yes indeed, thanks for the ping @XhmikosR 🙏