xpicio
commented
5 months ago We recently migrate our project from npm to pnpm and only the first level dependencies are scanned. For instance: in a project we use body-parser, and pnpm audit detect the GHSA-hrpp-h998-j3pp vulnerability on qs, where qs is a dependency of body-parser (. > body-parser@1.18.3 > qs@6.5.2); but qs is not present withing the sbom file created by auditjs.
Is it the right behaviour or a is it a bug ?
Is this lib supposed to work in a workspace (either npm, yarn or pnpm)? If yes, which type and version, with which configuration are supported?
In a regular repo I have 230 dependencies scanned, after merging it into a monorepo with npm workspaces, I can scan only the ones that are not hoisted because of a version mismatch with neighbour-packages. With pnpm only top-level dependencies are scanned (30 out of the original 230). Only yarn without plug-n-play (hoisting limit) seems to work for me, which is really a pity as having dozens of full-blown node_modules bottomless pits in a module-federation app is a nightmare with IntelliJ.
Also please clarify if this lib is abandoned. I see the last commit in /src is from 2 years ago, about as old as this issue: https://github.com/sonatype-nexus-community/auditjs/issues/184 If it is not under active development anymore, please deprecate it. As you can imagine, having a lib like this in a project really screws up the options for improvements. Either you have to abandon the idea of a monorepo and waste countless hours on multi-repo issues, or you have to explain to your project manager that you want to lower your security level for something as trivial as developer experience.
cc @bhamail / @DarthHater / @allenhsieh / @ken-duck