yarn audit inconsistently reports devDependencies vulnerabilities in workspaces

[philostlervelo]

Bug description

yarn audit inconsistently reports devDependencies vulnerabilities in workspaces

Command

yarn install --audit
yarn audit

What is the current behaviour?

In the context of an individual package:
yarn install --audit reports security vulnerabilities in devDependencies when yarn audit does not. This results in developer confusion due to the inconsistency in reports.

In the context of a workspace:
yarn install --audit and yarn audit at the root of the project both fail to report any security vulnerabilities even though running the same commands in a package do report a vulnerability.

What is the expected behaviour?

Consistency and choice.

• Whatever is reported at the package level should also be reported at the workspace level. Without this, confidence is lost that reporting is working as it should.
• Anything reported by yarn install --audit should also be reported by yarn audit. This is especially true as the output from yarn install --audit prompts the user to Run "yarn audit" for additional details..
• Choice of which dependencies to audit. Ideally there should be a switch on the CLI allowing for choice of what to audit (dependencies and/or devDependencies).

Steps to Reproduce

Reproduction repo: https://github.com/philostlervelo/yarn-workspace-audit-reporting

1. Run yarn install --audit at the root
2. Run yarn audit at the root
3. cd packages/a
4. Run yarn install --audit inside package
5. Run yarn audit inside package

Environment

• Node Version: 10.19.0
• Yarn v1 Version: 1.22.4
• OS and version: macOX Catalina 10.15.4

[alex-fournier]

I am facing the same problem, yarn audit does not check vulnerabilities in devDependencies of workspace packages.

I also have a reproductible repo: https://github.com/alex-fournier/yarn-audit-workspaces-example

Similar issue : #7047