Open karlhorky opened 5 years ago
Sounds similar to #6625
cc @rally25rs
I thought this would have been fixed by https://github.com/yarnpkg/yarn/commit/f8e42c563f7c10adb5f53afc59104f541e145176 but you are on a yarn version that has this change, so maybe there is a second issue 🤔
I'll try to find some time to reproduce this (unless someone else beats me to it)
Sorry to bump an old issue but fyi, I have this problem also. Running yarn audit --verbose, indicates that yarn uses a different repository for checking packages to npm.
https://registry.yarnpkg.com/-/npm/v1/security/audits
In my case, a dependency of several node modules has a prototype vulnerability, and npm audit reports them, whilst yarn audit does not.
I am currently trying a "resolutions": { section in package.json to see if I can update that dependency independently to a new version.
I just have the problem with devDependencies
as reported in #7047. dependencies
are working in workspaces as well.
devDependencies
are checked with yarn install --audit
but not with yarn audit
.
Do you want to request a feature or report a bug?
Bug.
What is the current behavior?
In a Yarn Workspaces package,
yarn audit
reports0 vulnerabilities found
in a workspace package, wherenpm audit
reports3 vulnerabilities (1 low, 2 high)
and GitHub reports1 low
:yarn audit
:npm audit
:GitHub audit:
It seems to me to be a problem with Yarn Workspaces because if I move the
package.json
out into another folder andyarn
andyarn audit
, the vulnerabilities are reported.If the current behavior is a bug, please provide the steps to reproduce.
Repo: https://github.com/karlhorky/talks/
What is the expected behavior?
yarn audit
reports the vulnerabilities in Yarn Workspace packages.Please mention your node.js, yarn and operating system version.
macOS Mojave 10.14.2 (18C54)