search

yarnpkg / berry

📦🐈 Active development trunk for Yarn ⚒
https://yarnpkg.com
BSD 2-Clause "Simplified" License
7.41k stars 1.11k forks source link

[Bug?]: `yarn npm audit --all --recursive` ignores certificates settings #6568

Open mcandre opened 1 day ago

mcandre commented 1 day ago

Self-service

Describe the bug

When I try to scan my Yarn projects with yarn npm audit --all --recursive, then it silently ignores certificate settings.

It's not obeying httpsCaFilePath in .yarnrc.yml.

It's not obeying OS certificates.

To reproduce

  1. Configure a firewall policy to block the yarn npm audit --all --recursive domains.
  2. Configure yarn (and corepack!) to use proxies with self signed certificate PEM files.
  3. Run yarn npm audit --all --recursive.

Environment

System: OS: macOS 15.0 CPU: (10) arm64 Apple M1 Pro Binaries: Node: 20.17.0 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/node Yarn: 4.3.1 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/yarn npm: 10.8.2 - ~/.asdf/plugins/nodejs/shims/npm

Additional context

By the way, yarn's error trace on SSL problems includes a recommendation to run yarn install to provision missing packages... but that's not applicable. The error handling should skip that recommendation for socket level network errors.

mcandre commented 6 hours ago

yarn SCA appears to also ignore NODE_EXTRA_CA_CERTS, causing security scans to fail when behind a proxy using self-signed certificates.