aval13
commented
2 years ago 8 affected packages by High (--level high) vulnerabilities: │ Package │ immer │ │ Package │ lodash │ │ Package │ prismjs │ │ Package │ tar │ │ Package │ trim-newlines │ │ Package │ ua-parser-js │ │ Package │ url-parse │ │ Package │ y18n │
PR #379 would fix 1 of them, 7 remaining.
9 packages affected by Moderate (--level moderate produces 17 packages output). PR #380 would fix one of them.
Running yarn audit on the code produces a worrying output: 1212 vulnerabilities found - Packages audited: 1790 Severity: 48 Low | 161 Moderate | 1003 High Done in 8.68s.
Expected Behavior
Not report any vulnerability or only a few Lows (maybe).
Current Behavior
1003 High vulnerabilities identified. Out of all these, 12 CVEs reported, https://www.npmjs.com/advisories/1603 https://www.npmjs.com/advisories/1654 https://www.npmjs.com/advisories/1673 https://www.npmjs.com/advisories/1678 https://www.npmjs.com/advisories/1679 https://www.npmjs.com/advisories/1753 https://www.npmjs.com/advisories/1762 https://www.npmjs.com/advisories/1770 https://www.npmjs.com/advisories/1771 https://www.npmjs.com/advisories/1779 https://www.npmjs.com/advisories/1780 https://www.npmjs.com/advisories/1781
Possible Solution
Maybe update the version requirements for packages so no vulnerable versions are pulled in? Also maybe cut on the required modules (split the list into dev and production, now all are production required)? Downloading 1567 modules seems a bit excessive (although yarn audit reports 1790 packages). Linking dependencies step makes checks 97856 checks.
Steps to Reproduce
Run: yarn audit or yarn audit --modules-folder /opt/sensu/yarn/node_modules based on how yarn install was run.
Context
I am trying NOT to deploy a vulnerabile application in a production environment.
Your Environment
Yarn version: