karlhorky commented 5 years ago

Do you want to request a feature or report a bug?

Bug.

What is the current behavior?

In a Yarn Workspaces package, yarn audit reports 0 vulnerabilities found in a workspace package, where npm audit reports 3 vulnerabilities (1 low, 2 high) and GitHub reports 1 low:

yarn audit:

➜  2018-08-30-react-sao-paulo-the-effect-of-react-on-web-standards git:(master) yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 44932
✨  Done in 4.83s.

npm audit:

➜  2018-08-30-react-sao-paulo-the-effect-of-react-on-web-standards git:(master) ✗ npm audit

                       === npm audit security report ===

# Run  npm install --save-dev webpack-dev-server@3.1.14  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ surge [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ surge > fstream-ignore > minimatch                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ surge [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ surge > cli-table2 > lodash                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 high) in 12699 scanned packages
  1 vulnerability requires semver-major dependency updates.
  2 vulnerabilities require manual review. See the full report for details.

GitHub audit:

It seems to me to be a problem with Yarn Workspaces because if I move the package.json out into another folder and yarn and yarn audit, the vulnerabilities are reported.

If the current behavior is a bug, please provide the steps to reproduce.

git clone git@github.com:karlhorky/talks.git
cd talks/packages/2018-08-30-react-sao-paulo-the-effect-of-react-on-web-standards
yarn
yarn audit
npm install
npm audit

Repo: https://github.com/karlhorky/talks/

What is the expected behavior?

yarn audit reports the vulnerabilities in Yarn Workspace packages.

Please mention your node.js, yarn and operating system version.

➜ npm -v
6.5.0
➜ yarn -v
1.13.0

macOS Mojave 10.14.2 (18C54)

karlhorky commented 5 years ago

Sounds similar to #6625

cc @rally25rs

rally25rs commented 5 years ago

I thought this would have been fixed by https://github.com/yarnpkg/yarn/commit/f8e42c563f7c10adb5f53afc59104f541e145176 but you are on a yarn version that has this change, so maybe there is a second issue 🤔

I'll try to find some time to reproduce this (unless someone else beats me to it)

millerthegorilla commented 4 years ago

Sorry to bump an old issue but fyi, I have this problem also. Running yarn audit --verbose, indicates that yarn uses a different repository for checking packages to npm.
https://registry.yarnpkg.com/-/npm/v1/security/audits In my case, a dependency of several node modules has a prototype vulnerability, and npm audit reports them, whilst yarn audit does not. I am currently trying a "resolutions": { section in package.json to see if I can update that dependency independently to a new version.

nicod-pc commented 1 year ago

I just have the problem with devDependencies as reported in #7047. dependencies are working in workspaces as well.

8078 claims that `devDependencies` are checked with `yarn install --audit` but not with `yarn audit`.

yarnpkg / yarn

yarn audit does not report vulnerabilities in a Yarn Workspace reported by npm audit and GitHub #6909

8078 claims that `devDependencies` are checked with `yarn install --audit` but not with `yarn audit`.

yarnpkg / yarn

yarn audit does not report vulnerabilities in a Yarn Workspace reported by npm audit and GitHub #6909

8078 claims that devDependencies are checked with yarn install --audit but not with yarn audit.

8078 claims that `devDependencies` are checked with `yarn install --audit` but not with `yarn audit`.