Yarn Audit on a workspaces yarn project doesn't verify devDependencies

[lneves12]

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
For some reason when I run yarn audit on a workspaces yarn project it only verifies the dependencies and not devDependencies

If the current behavior is a bug, please provide the steps to reproduce.
https://github.com/uyuni-project/uyuni/blob/master/susemanager-frontend/package.json

yarn add url-relative --dev (doesn't show)

yarn add url-relative (shows vulnerability)

What is the expected behavior?
The default behavior with all the packages checked for vulnerabilities

Please mention your node.js, yarn and operating system version.
yarn: 1.14.0
nodejs: 10.15.0

[sbuckpesch]

Here is a script I run in my CI/CD pipeline to audit only production packages:

const fs = require("fs");
const filepath = "./reports/yarn-audit.json";

try {
  const report = fs
    .readFileSync(filepath, "utf8")
    .toString()
    .split("\n");
  const packageJson = require("../package.json");
  const advisoryURL = "https://npmjs.com/advisories/";
  const advisories = report
    .map(item => {
      try {
        return JSON.parse(item);
      } catch (e) {
        return null;
      }
    })
    .filter(advisory => advisory !== null && advisory.type === "auditAdvisory");

  const findings = advisories.filter(advisory => {
    // Check for all findings if the root module is in devDependencies
    const advisoryFindings = advisory.data.advisory.findings;
    const advisoryFindingsProduction = advisoryFindings.filter(find => {
      const rootModule = find.paths[0].split(">")[0];
      return Object.keys(packageJson.dependencies).includes(rootModule);
    });

    return advisoryFindingsProduction.length > 0;
  });

  if (findings.length > 0) {
    console.log(`found ${findings.length} vulnerabilities among production dependencies. Please visit below link for details`);
    console.log("--------------------");
    findings.forEach(finding => {
      console.log(`URL: ${advisoryURL}${finding.data.resolution.id}`);
      console.log(`Path: ${finding.data.resolution.path}`);
      console.log("--------------------");
    });
    try {
      fs.unlinkSync(filepath);
    } catch (err) {
      console.error(err);
    }
    process.exit(1);
  } else {
    try {
      fs.unlinkSync(filepath);
    } catch (err) {
      console.error(err);
    }
    process.exit(0);
  }
} catch (e) {
  console.log(e);
  try {
    fs.unlinkSync(filepath);
  } catch (err) {
    console.error(err);
  }
  process.exit(1);
}

Gitlab pipeline yaml

audit:
...
  script:
    - mkdir reports
    - yarn run audit

...and the npm script:

"scripts": {
    "audit": "yarn audit --json >> reports/yarn-audit.json || true && node ./build/yarn-audit.js",
    ...
  },

[iwt-nduesing]

@sbuckpesch your script does the opposite of what the issue is here. yarn audit should check the devDependencies for vulnerabilities. It does for the root project but not for each workspace. We expect yarn audit to check all packages (also devDependencies) in all workspaces.

[iwt-nduesing]

This issue is also mentioned by audit-ci as limitation:

Yarn Classic workspaces does not audit devDependencies. See #7047 for more information.