You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
yarn audit inconsistently reports devDependencies vulnerabilities in workspaces
Command
yarn install --audit
yarn audit
What is the current behaviour?
In the context of an individual package: yarn install --audit reports security vulnerabilities in devDependencies when yarn audit does not. This results in developer confusion due to the inconsistency in reports.
In the context of a workspace: yarn install --audit and yarn audit at the root of the project both fail to report any security vulnerabilities even though running the same commands in a package do report a vulnerability.
What is the expected behaviour?
Consistency and choice.
Whatever is reported at the package level should also be reported at the workspace level. Without this, confidence is lost that reporting is working as it should.
Anything reported by yarn install --audit should also be reported by yarn audit. This is especially true as the output from yarn install --audit prompts the user to Run "yarn audit" for additional details..
Choice of which dependencies to audit. Ideally there should be a switch on the CLI allowing for choice of what to audit (dependencies and/or devDependencies).
Bug description
yarn audit inconsistently reports devDependencies vulnerabilities in workspaces
Command
What is the current behaviour?
In the context of an individual package:
yarn install --audit
reports security vulnerabilities in devDependencies whenyarn audit
does not. This results in developer confusion due to the inconsistency in reports.In the context of a workspace:
yarn install --audit
andyarn audit
at the root of the project both fail to report any security vulnerabilities even though running the same commands in a package do report a vulnerability.What is the expected behaviour?
Consistency and choice.
yarn install --audit
should also be reported byyarn audit
. This is especially true as the output fromyarn install --audit
prompts the user toRun "yarn audit" for additional details.
.dependencies
and/ordevDependencies
).Steps to Reproduce
Reproduction repo: https://github.com/philostlervelo/yarn-workspace-audit-reporting
yarn install --audit
at the rootyarn audit
at the rootcd packages/a
yarn install --audit
inside packageyarn audit
inside packageEnvironment
10.19.0
1.22.4
The text was updated successfully, but these errors were encountered: