Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yarn audit fails with 2 high sev vulnerabilities (dev dependencies only) #1562

Closed
ivolzhevbt opened this issue Jun 29, 2021 · 1 comment
Closed

Yarn audit fails with 2 high sev vulnerabilities (dev dependencies only) #1562

ivolzhevbt opened this issue Jun 29, 2021 · 1 comment
Assignees
@eamodio
Labels
debt Technical debt
Milestone
Shipped

Comments

@ivolzhevbt
Copy link
Contributor

Steps to Reproduce:

  1. checkout main branch
  2. run yarn --frozen-lockfile
  3. run yarn audit --summary

Actual result:
yarn audit v1.22.10
2 vulnerabilities found - Packages audited: 830
Severity: 2 High
✨ Done in 1.22s.

Expected result:
yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 830
✨ Done in 1.15s.
@ivolzhevbt ivolzhevbt added potential-bug triage Needs to be looked at labels Jun 29, 2021
ivolzhevbt added a commit to bisontrails/vscode-gitlens that referenced this issue Jun 29, 2021
@ivolzhevbt
Fixes gitkraken#1562: fixes version of trim-newlines
0b9b06b 
trim-newlines is a transitive dependency which is present in a
dependency tree through imagemin-webp and node-sass.

Version of trim-newlines which is referenced by those pacakges has a
security advisory https://snyk.io/vuln/SNYK-JS-TRIMNEWLINES-1298042

Neither imagemin-webp nor node-sass have version which depend on patched
version of trim-newlines. And at least node-sass is not maintained any
longer.

Under current circumstances the only way to fix this is to force
trim-newlines version via "resolutions". As interface of the package is
backward compatible and does not break anything I believe it is a right
thing to do.
@eamodio eamodio self-assigned this Jul 2, 2021
@eamodio eamodio added debt Technical debt and removed potential-bug triage Needs to be looked at labels Jul 2, 2021
@eamodio eamodio added this to the Soon™ milestone Jul 2, 2021
@eamodio eamodio closed this as completed in c5428ed Jul 2, 2021
@eamodio eamodio changed the title yarn audit fails with 2 high sev vulnerabilities Yarn audit fails with 2 high sev vulnerabilities (dev dependencies only) Jul 2, 2021
@eamodio eamodio modified the milestones: Soon™, Shipped Jul 13, 2021
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@eamodio eamodio

Labels
debt Technical debt
Projects
None yet
Milestone
Shipped
Development

No branches or pull requests
2 participants
@eamodio @ivolzhevbt