Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--no-optional or --ignore-optional does not impact transient dependencies. #5366

Open
krotscheck opened this issue Feb 15, 2018 · 4 comments
Open

--no-optional or --ignore-optional does not impact transient dependencies. #5366

krotscheck opened this issue Feb 15, 2018 · 4 comments
Assignees
@arcanis
Labels
triaged

Comments

@krotscheck
Copy link

Do you want to request a feature or report a bug?
A bug.

What is the current behavior?
Given a package that has optional dependencies (chokidar), attempt to add it to your project. Yarn automatically installs the optional dependency fsevents, which (at this time) has a dependency with an nsp security violation (hoek).

The lock entry for chokidar is below:

chokidar@~2.0.2:
  version "2.0.2"
  resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-2.0.2.tgz#4dc65139eeb2714977735b6a35d06e97b494dfd7"
  dependencies:
    anymatch "^2.0.0"
    async-each "^1.0.0"
    braces "^2.3.0"
    glob-parent "^3.1.0"
    inherits "^2.0.1"
    is-binary-path "^1.0.0"
    is-glob "^4.0.0"
    normalize-path "^2.1.1"
    path-is-absolute "^1.0.0"
    readdirp "^2.0.0"
    upath "^1.0.0"
  optionalDependencies:
    fsevents "^1.0.0"

If the current behavior is a bug, please provide the steps to reproduce.

mkdir test
cd test
npm init -y
yarn add --ignore-optional chokidar # or yarn add chokidar --no-optional
more yarn.lock | grep fsevents

What is the expected behavior?
Yarn should not install optional dependencies.

Please mention your node.js, yarn and operating system version.
OSX Sierra, Node Carbon-LTS (8.9.x), yarn 1.3.2
@ghost ghost assigned arcanis Feb 15, 2018
@ghost ghost added the triaged label Feb 15, 2018
@krotscheck
Copy link
Author

Here's a link to the NSP Node advisory. https://nodesecurity.io/advisories/566

@richardkmichael
Copy link

richardkmichael commented Apr 14, 2018
edited

This problem still exists in yarn 1.6.0, node 9.11.1 (on OSX 10.12.6).

Numerous issues have referred to variations of this problem (optional being erroneously required, or required being erroneously optional, etc.).

!5059 fixed optional dependency handling to ensure required dependencies are not erroneously marked as optional (fixing several issues).
#2660 (closed, merged into #2666, which itself is closed by !3976)
#4665 (open) is more or less a dupe.

Another reproducer:

mkdir yarn-test && cd yard-test
yarn init -y
yard add --ignore-optional babel-preset-shopify@16.3.0

cp -a yarn-test yarn-test-2 && cd yarn-test-2
rm -rf node_modules
yard install --ignore-optional

Yarn will unnecessarily install react-hot-loader, which is an optional dependency.

(It will then continue on to warn about an unmet peer dependency for the transient dependency, redbox-react.)

@tvjg tvjg mentioned this issue Jun 29, 2018
Closed
@BPScott BPScott mentioned this issue Jul 3, 2018
Closed
This was referenced Mar 7, 2019
Merged
Merged
@alex-dixon
Copy link

alex-dixon commented Jul 23, 2019
edited

Had this problem, going to use --ignore-platform and hope for the best.

@leethree
Copy link

I'm still seeing the same issue in 2020. I'm using Yarn 1.22.4 and yarn install --ignore-optional will install optional dependencies from 3rd party libraries.

codeviking added a commit to allenai/supp.ai that referenced this issue Jan 5, 2021
@codeviking
Update ini.
e2595b4 
This uses the `resolutions` feature to force `ini` to a version
without the associated CVE. The update should be safe, since it's
a only a patch.

I tried to use the `--ignore-optional` flag `yarn` provides, but
it didn't work (`ini` is required by `rc` which is required by `sharp`
which is an optional dependency of `next`). It appears this is a known
issue: yarnpkg/yarn#5366

Resolves:
https://github.com/allenai/supp.ai/security/dependabot/ui/yarn.lock/ini/open

In relation to:
allenai/reviz#165
@codeviking codeviking mentioned this issue Jan 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arcanis arcanis

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@richardkmichael @leethree @krotscheck @arcanis @alex-dixon