New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix Yarn Berry workspace audit when skip-dev=true #248

Merged

quinnturner merged 7 commits into IBM:main from kyletsang:yarn-workspace

Apr 13, 2022

Contributor

kyletsang commented Apr 13, 2022

Fixes #216

The --all flag should always be passed so the auditor can pick up vulnerabilities in workspaces.

This PR adds tests for Yarn Classic and Yarn Berry. One hiccup I ran into was that Yarn Classic does not audit dev dependencies. This appears to be a bug in Yarn. I left comments in the test.

kyletsang added 2 commits

April 12, 2022 16:54


          fix: fix Yarn Berry workspace audit when skip-dev=true

324ed3a


          add missing yarn berry files

1937e7d

Member

quinnturner commented Apr 13, 2022 •

edited

install-state.gz is intended gitignored. Can you add this to the .gitignore?

.pnp.*
.yarn/*
!.yarn/patches
!.yarn/plugins
!.yarn/releases
!.yarn/sdks
!.yarn/versions

Also, for the Yarn Berry files, can you use the existing approach where we just require the single instance in ../../? That saves the repo space and some duplication!

quinnturner reviewed

View reviewed changes

test/yarn-auditer.spec.js Outdated Show resolved Hide resolved

quinnturner reviewed

View reviewed changes

test/yarn-auditer.spec.js Show resolved Hide resolved

quinnturner reviewed

View reviewed changes

test/yarn-auditer.spec.js Outdated Show resolved Hide resolved

kyletsang added 3 commits

April 12, 2022 18:37


          use common test functions for yarn tests

7737d10


          clean up yarn dist files


          add note about yarn classic and devDependencies in readme

2e0d174

Contributor Author

kyletsang commented Apr 13, 2022

Also, for the Yarn Berry files, can you use the existing approach where we just require the single instance in ../../? That saves the repo space and some duplication!

Fixed and also cleaned up the files in the other yarn berry folders 👍

quinnturner reviewed

View reviewed changes

README.md Outdated Show resolved Hide resolved

quinnturner reviewed

View reviewed changes

test/yarn-auditer.spec.js Show resolved Hide resolved

test/yarn-berry-low/.yarnrc.yml Show resolved Hide resolved

kyletsang added 2 commits

April 12, 2022 19:06


          tweak wording

f00cb3d


          tweak wording again

142e136

quinnturner self-requested a review

April 13, 2022 02:07

quinnturner approved these changes

View reviewed changes

Member

quinnturner commented Apr 13, 2022

Great job, thank you! I will trigger a release for this PR.

quinnturner merged commit b6f210f into IBM:main

kyletsang deleted the yarn-workspace branch

April 13, 2022 02:11

Member

quinnturner commented Apr 13, 2022

Released in v6.2.0

This was referenced Apr 13, 2022

Update dependency audit-ci to v6.2.0 jetngin/console#17

Merged

fix(deps): update dependency audit-ci to v6 Xavius1/subito-ci#9

Merged

Update all dependencies jetngin/create-jetngin#3

Open

Update all dependencies jetngin/create-jetngin-extension#1

Open

feat(Dependencies): Update dependency audit-ci to v6.2.0 deNBI/cloud-portal-webapp#4590

Merged

chore(deps): update dependency audit-ci to v6.2.0 jdanil/skunkworks#3037

Merged

Update all dependencies daniel-samson/typefs#134

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment