Open adrianovieira opened 3 years ago
I just stumbled across this as well, because of reading this post and googling "yarn audit production"
Then, ensure you run npm audit --production rather than npm audit.
The post is talking about npm
, my fault. So i checked the yarn v1 docs because it looks like you're using v1 and I'm also stuck with v1.
I can't find --production
there, but this:
yarn audit --groups dependencies
yarn npm audit --environment production
So maybe this is just a misunderstanding or an outdated option?
I just noticed same issue too:
mk@life audit-test % cat package.json
{
"name": "audit-test",
"private": "true",
"devDependencies": {
"react-scripts": "^5.0.1"
}
}
mk@life audit-test % yarn --prod
yarn install v1.22.19
[1/4] 🔍 Resolving packages...
[2/4] 🚚 Fetching packages...
[3/4] 🔗 Linking dependencies...
warning " > react-scripts@5.0.1" has unmet peer dependency "react@>= 16".
warning "react-scripts > eslint-config-react-app > eslint-plugin-flowtype@8.0.3" has unmet peer dependency "@babel/plugin-syntax-flow@^7.14.5".
warning "react-scripts > eslint-config-react-app > eslint-plugin-flowtype@8.0.3" has unmet peer dependency "@babel/plugin-transform-react-jsx@^7.14.9".
warning "react-scripts > react-dev-utils > fork-ts-checker-webpack-plugin@6.5.2" has unmet peer dependency "typescript@>= 2.7".
warning "react-scripts > eslint-config-react-app > @typescript-eslint/eslint-plugin > tsutils@3.21.0" has unmet peer dependency "typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta".
[4/4] 🔨 Building fresh packages...
✨ Done in 0.66s.
mk@life audit-test % yarn audit --prod
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Inefficient Regular Expression Complexity in nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > │
│ │ css-select > nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1070415 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1203
Severity: 1 High
✨ Done in 1.23s.
mk@life audit-test % rm -rf node_modules
mk@life audit-test % npm i --omit=dev
up to date, audited 1 package in 1s
found 0 vulnerabilities
mk@life audit-test % npm audit --omit=dev
found 0 vulnerabilities
mk@life audit-test %
Is it expected that
yarn audit --production
audit only packages' dependencies for production environments?If so, it isn't working.
steps to reproduce
yarn init -y
yarn add vue
yarn add --dev @vue/cli-service
yarn audit
yarn audit --production
checking audit steps
npm
with:npm audit
npm audit --production