yarn audit --groups dependencies optionalDependencies not working

[leonardobazico]

Bug description

Couldn't find a way to audit two or more group at once.

• The --groups option only get the first group if one space is used to separate them
• The --groups option gets lost if a comma is used to separate

The help indicates space to separate the groups

--groups <group_name> [<group_name> ...]

Although the description shows commas: Only audit dependencies from listed groups. Default: devDependencies, dependencies, optionalDependencies (default: devDependencies,dependencies,optionalDependencies)

Command

yarn audit --groups dependencies optionalDependencies

What is the current behavior?
Not possible to use --groups to audit more than one group

What is the expected behavior?
Audit dependencies from listed groups through the option --groups

Steps to Reproduce

1. Have dependencies, devDependencies and/or optionalDependencies
2. Run yarn audit --groups dependencies optionalDependencies
3. Only the packages from the dependencies group will be audited

Outputs:

yarn audit --groups dependencies
yarn audit v1.22.5
0 vulnerabilities found - Packages audited: 325
✨  Done in 2.62s.

yarn audit --groups optionalDependencies
yarn audit v1.22.5
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Remote Memory Exposure                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ bl                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.3 <2.0.0 || >=2.2.1 <3.0.0 || >=3.0.1 <4.0.0 ||        │
│               │ >=4.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ codeceptjs                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ codeceptjs > @codeceptjs/configure > webdriverio > archiver  │
│               │ > tar-stream > bl                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1555                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 325
Severity: 1 High
✨  Done in 1.68s.

yarn audit --groups dependencies optionalDependencies
yarn audit v1.22.5
0 vulnerabilities found - Packages audited: 325
✨  Done in 1.39s.

yarn audit --groups dependencies,optionalDependencies
yarn audit v1.22.5
0 vulnerabilities found - Packages audited: 0
✨  Done in 2.38s.

yarn audit --groups dependencies, optionalDependencies
yarn audit v1.22.5
0 vulnerabilities found - Packages audited: 0
✨  Done in 1.72s.

Environment

• Node Version: 12.18.4
• Yarn v1 Version: 1.22.5
• OS and version: macOS 10.15.7

[dubbha]

@leonardobazico , this should work:

yarn audit --groups "devDependencies dependencies"

I agree this is a bug in both the documentation and the CLI help, none of which is clear or state the correct usage.
CLI help line is confusing in itself, hinting three different usages in a single line, none of which works:

    --groups <group_name> [<group_name> ...]  Only audit dependencies from listed groups. Default: devDependencies, dependencies, optionalDependencies (default: devDependencies,dependencies,optionalDependencies)

And the worst thing is that the option is so prone to the case when you might silently audit nothing at all, or just a part of what you intended to, and not even know about it.

[leonardobazico]

Thank you, @dubbha! It worked