Closed kylewillmon closed 11 months ago
The issue found in #1285 also exists for yarn v1 lockfiles.
"@isaacs/cliui": "^8.0.2"
When using yarn v1, this incorrectly finds a dependency named strip-ansi-cjs.
strip-ansi-cjs
> yarn --version 1.22.21 > yarn install [ ... SNIP ... ] > phylum parse | jq '.[] | select(.name=="strip-ansi-cjs")' { "name": "strip-ansi-cjs", "version": "6.0.1", "type": "npm", "lockfile": "yarn.lock" }
Here is the relevant section from yarn.lock:
yarn.lock
"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1: version "6.0.1" resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9" integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A== dependencies: ansi-regex "^5.0.1"
Thanks to @dappelt for submitting phylum-dev/vuln-reach#67 and bringing this to my attention.
To make sure this doesn't come up again, I've tested pnpm and newer versions of yarn. Both of those lockfile parsers correctly handle this case.
pnpm
yarn
The issue found in #1285 also exists for yarn v1 lockfiles.
When using yarn v1, this incorrectly finds a dependency named
strip-ansi-cjs
.Here is the relevant section from
yarn.lock
:Thanks to @dappelt for submitting phylum-dev/vuln-reach#67 and bringing this to my attention.