Open mcandre opened 1 day ago
When I try to scan my Yarn projects with yarn npm audit --all --recursive, then it silently ignores certificate settings.
yarn npm audit --all --recursive
It's not obeying httpsCaFilePath in .yarnrc.yml.
httpsCaFilePath
.yarnrc.yml
It's not obeying OS certificates.
System: OS: macOS 15.0 CPU: (10) arm64 Apple M1 Pro Binaries: Node: 20.17.0 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/node Yarn: 4.3.1 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/yarn npm: 10.8.2 - ~/.asdf/plugins/nodejs/shims/npm
By the way, yarn's error trace on SSL problems includes a recommendation to run yarn install to provision missing packages... but that's not applicable. The error handling should skip that recommendation for socket level network errors.
yarn install
yarn SCA appears to also ignore NODE_EXTRA_CA_CERTS, causing security scans to fail when behind a proxy using self-signed certificates.
NODE_EXTRA_CA_CERTS
Self-service
Describe the bug
When I try to scan my Yarn projects with
yarn npm audit --all --recursive
, then it silently ignores certificate settings.It's not obeying
httpsCaFilePath
in.yarnrc.yml
.It's not obeying OS certificates.
To reproduce
yarn npm audit --all --recursive
domains.yarn npm audit --all --recursive
.Environment
System: OS: macOS 15.0 CPU: (10) arm64 Apple M1 Pro Binaries: Node: 20.17.0 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/node Yarn: 4.3.1 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/yarn npm: 10.8.2 - ~/.asdf/plugins/nodejs/shims/npm
Additional context
By the way, yarn's error trace on SSL problems includes a recommendation to run
yarn install
to provision missing packages... but that's not applicable. The error handling should skip that recommendation for socket level network errors.