yarn audit --production optional dependencies not working

[adrianovieira]

Is it expected that yarn audit --production audit only packages' dependencies for production environments?

If so, it isn't working.

steps to reproduce

1. yarn init -y
2. yarn add vue
3. yarn add --dev @vue/cli-service
4. yarn audit


5. yarn audit --production


checking audit steps npm with:

1. npm audit


2. npm audit --production

[escapedcat]

I just stumbled across this as well, because of reading this post and googling "yarn audit production"

Then, ensure you run npm audit --production rather than npm audit.

The post is talking about npm, my fault. So i checked the yarn v1 docs because it looks like you're using v1 and I'm also stuck with v1.

I can't find --production there, but this:

yarn audit --groups dependencies

v2 has something close to it:

yarn npm audit --environment production

So maybe this is just a misunderstanding or an outdated option?

[karnauskas]

I just noticed same issue too:

mk@life audit-test % cat package.json
{
  "name": "audit-test",
  "private": "true",
  "devDependencies": {
    "react-scripts": "^5.0.1"
  }
 }
mk@life audit-test % yarn --prod
yarn install v1.22.19
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
warning " > react-scripts@5.0.1" has unmet peer dependency "react@>= 16".
warning "react-scripts > eslint-config-react-app > eslint-plugin-flowtype@8.0.3" has unmet peer dependency "@babel/plugin-syntax-flow@^7.14.5".
warning "react-scripts > eslint-config-react-app > eslint-plugin-flowtype@8.0.3" has unmet peer dependency "@babel/plugin-transform-react-jsx@^7.14.9".
warning "react-scripts > react-dev-utils > fork-ts-checker-webpack-plugin@6.5.2" has unmet peer dependency "typescript@>= 2.7".
warning "react-scripts > eslint-config-react-app > @typescript-eslint/eslint-plugin > tsutils@3.21.0" has unmet peer dependency "typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta".
[4/4] 🔨  Building fresh packages...
✨  Done in 0.66s.
mk@life audit-test % yarn audit --prod
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Inefficient Regular Expression Complexity in nth-check       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ nth-check                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >   │
│               │ css-select > nth-check                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1070415                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1203
Severity: 1 High
✨  Done in 1.23s.

mk@life audit-test % rm -rf node_modules
mk@life audit-test % npm i --omit=dev

up to date, audited 1 package in 1s

found 0 vulnerabilities
mk@life audit-test % npm audit --omit=dev
found 0 vulnerabilities
mk@life audit-test %