phylum-dev / cli

Command line interface for the Phylum API
https://phylum.io
GNU General Public License v3.0
103 stars 11 forks source link

Yarn v1 renamed dependencies not handled correctly #1299

Closed kylewillmon closed 11 months ago

kylewillmon commented 11 months ago

The issue found in #1285 also exists for yarn v1 lockfiles.

    "@isaacs/cliui": "^8.0.2"

When using yarn v1, this incorrectly finds a dependency named strip-ansi-cjs.

> yarn --version
1.22.21
> yarn install
[ ... SNIP ... ]
> phylum parse | jq '.[] | select(.name=="strip-ansi-cjs")'
{
  "name": "strip-ansi-cjs",
  "version": "6.0.1",
  "type": "npm",
  "lockfile": "yarn.lock"
}

Here is the relevant section from yarn.lock:

"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1:
  version "6.0.1"
  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
  integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
  dependencies:
    ansi-regex "^5.0.1"

Thanks to @dappelt for submitting phylum-dev/vuln-reach#67 and bringing this to my attention.

kylewillmon commented 11 months ago

To make sure this doesn't come up again, I've tested pnpm and newer versions of yarn. Both of those lockfile parsers correctly handle this case.