search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.4k stars 2.72k forks source link

Yarn Audit on a workspaces yarn project doesn't verify devDependencies #7047

Open lneves12 opened 5 years ago

lneves12 commented 5 years ago

Do you want to request a feature or report a bug? Bug

What is the current behavior? For some reason when I run yarn audit on a workspaces yarn project it only verifies the dependencies and not devDependencies

If the current behavior is a bug, please provide the steps to reproduce. https://github.com/uyuni-project/uyuni/blob/master/susemanager-frontend/package.json

yarn add url-relative --dev (doesn't show)

yarn add url-relative (shows vulnerability)

What is the expected behavior? The default behavior with all the packages checked for vulnerabilities

Please mention your node.js, yarn and operating system version. yarn: 1.14.0 nodejs: 10.15.0

sbuckpesch commented 5 years ago

Here is a script I run in my CI/CD pipeline to audit only production packages:

const fs = require("fs");
const filepath = "./reports/yarn-audit.json";

try {
  const report = fs
    .readFileSync(filepath, "utf8")
    .toString()
    .split("\n");
  const packageJson = require("../package.json");
  const advisoryURL = "https://npmjs.com/advisories/";
  const advisories = report
    .map(item => {
      try {
        return JSON.parse(item);
      } catch (e) {
        return null;
      }
    })
    .filter(advisory => advisory !== null && advisory.type === "auditAdvisory");

  const findings = advisories.filter(advisory => {
    // Check for all findings if the root module is in devDependencies
    const advisoryFindings = advisory.data.advisory.findings;
    const advisoryFindingsProduction = advisoryFindings.filter(find => {
      const rootModule = find.paths[0].split(">")[0];
      return Object.keys(packageJson.dependencies).includes(rootModule);
    });

    return advisoryFindingsProduction.length > 0;
  });

  if (findings.length > 0) {
    console.log(`found ${findings.length} vulnerabilities among production dependencies. Please visit below link for details`);
    console.log("--------------------");
    findings.forEach(finding => {
      console.log(`URL: ${advisoryURL}${finding.data.resolution.id}`);
      console.log(`Path: ${finding.data.resolution.path}`);
      console.log("--------------------");
    });
    try {
      fs.unlinkSync(filepath);
    } catch (err) {
      console.error(err);
    }
    process.exit(1);
  } else {
    try {
      fs.unlinkSync(filepath);
    } catch (err) {
      console.error(err);
    }
    process.exit(0);
  }
} catch (e) {
  console.log(e);
  try {
    fs.unlinkSync(filepath);
  } catch (err) {
    console.error(err);
  }
  process.exit(1);
}

Gitlab pipeline yaml

audit:
...
  script:
    - mkdir reports
    - yarn run audit

...and the npm script:

"scripts": {
    "audit": "yarn audit --json >> reports/yarn-audit.json || true && node ./build/yarn-audit.js",
    ...
  },
nicod-pc commented 1 year ago

@sbuckpesch your script does the opposite of what the issue is here. yarn audit should check the devDependencies for vulnerabilities. It does for the root project but not for each workspace. We expect yarn audit to check all packages (also devDependencies) in all workspaces.

nicod-pc commented 1 year ago

This issue is also mentioned by audit-ci as limitation:

Yarn Classic workspaces does not audit devDependencies. See https://github.com/yarnpkg/yarn/issues/7047 for more information.