Errors parsing yarn.lock files with quoted properties #249
Comments
|
Drive-by observation: from reading https://bstefanski.com/upgrading-one-dependency-causes-whole-yarnlock-change-fix something is very wrong with a tool that makes unnecessary wholesale changes to the file like that. Makes reviewing changes unnecessarily onerous and provides an easy opportunity for a bad actor to slip in something under the reviewer's radar... From a quick search, this sounds like yarnpkg/yarn#4953, which has been open for a concerning amount of time... |
|
Ok it looks like this is because npm v7+ formats I've created #250 to fix this |
Resolves #249 This files are actually valid, and generated by npm v7+
Resolves #249 This files are actually valid, and generated by npm v7+
Resolves google#249 This files are actually valid, and generated by npm v7+
Resolves google#249 This files are actually valid, and generated by npm v7+
Scorecard currently calls DoScan here when checking for vulns. When we scan public repos, we sometimes encounter yarn.lock files that write hundred of lines to os.Stderr due to the issue discussed in #102 and #142.
Here are a few of the offending files that we've encountered:
https://github.com/Glissir/react-trello/blob/565dd41fd2263787412b6e131c9f21b26c7204cd/yarn.lock
https://github.com/nodeWechat/wechat4u/blob/93972863435ba0cfe98c316bbe6b739da390897d/yarn.lock
#102 mentioned being unable to reproduced with
yarn, but a few search results have mentioned the issue is caused whennpmmanipulates theyarn.lockfile:npm/cli#5126
https://stackoverflow.com/q/74272832
https://bstefanski.com/upgrading-one-dependency-causes-whole-yarnlock-change-fix
The text was updated successfully, but these errors were encountered: