New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--no-optional
or --ignore-optional
does not impact transient dependencies.
#5366
Comments
Here's a link to the NSP Node advisory. https://nodesecurity.io/advisories/566 |
This problem still exists in yarn Numerous issues have referred to variations of this problem (optional being erroneously required, or required being erroneously optional, etc.). !5059 fixed optional dependency handling to ensure required dependencies are not erroneously marked as optional (fixing several issues). Another reproducer:
Yarn will unnecessarily install (It will then continue on to warn about an unmet peer dependency for the transient dependency, |
Had this problem, going to use |
I'm still seeing the same issue in 2020. I'm using Yarn 1.22.4 and |
This uses the `resolutions` feature to force `ini` to a version without the associated CVE. The update should be safe, since it's a only a patch. I tried to use the `--ignore-optional` flag `yarn` provides, but it didn't work (`ini` is required by `rc` which is required by `sharp` which is an optional dependency of `next`). It appears this is a known issue: yarnpkg/yarn#5366 Resolves: https://github.com/allenai/supp.ai/security/dependabot/ui/yarn.lock/ini/open In relation to: allenai/reviz#165
Do you want to request a feature or report a bug?
A bug.
What is the current behavior?
Given a package that has optional dependencies (
chokidar
), attempt to add it to your project. Yarn automatically installs the optional dependencyfsevents
, which (at this time) has a dependency with an nsp security violation (hoek).The lock entry for chokidar is below:
If the current behavior is a bug, please provide the steps to reproduce.
What is the expected behavior?
Yarn should not install optional dependencies.
Please mention your node.js, yarn and operating system version.
OSX Sierra, Node Carbon-LTS (8.9.x), yarn 1.3.2
The text was updated successfully, but these errors were encountered: