Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix audit for packages without name #6611

Merged
merged 7 commits into from Nov 1, 2018

Conversation

@bugzpodder
Copy link
Contributor

commented Oct 31, 2018

Jack Zhao
@arcanis

This comment has been minimized.

Copy link
Member

commented Oct 31, 2018

Now that's interesting - how come some packages have no name ? 😮

@arcanis
Copy link
Member

left a comment

Thanks for the fix! Could you also add a test so that we're sure there won't be regressions? Cf here:

https://github.com/yarnpkg/yarn/blob/master/__tests__/commands/audit.js

@rally25rs

This comment has been minimized.

Copy link
Contributor

commented Oct 31, 2018

If they don't have a name then we should probably omit them from the audit contents at all, since npm isn't going to have issues listed for a package with no name anyway. I think we should just skip it when building the audit tree.

Jack Zhao
@bugzpodder

This comment has been minimized.

Copy link
Contributor Author

commented Oct 31, 2018

@rally25rs the main package is a private package (not published) and it doesn't have a name, however its dependencies should still be checked.

@bugzpodder

This comment has been minimized.

Copy link
Contributor Author

commented Oct 31, 2018

See for example: #6607 (comment)

@gabegorelick

This comment has been minimized.

Copy link

commented Oct 31, 2018

This does not appear to fix #6607. I still get that error even after applying this patch.

@bugzpodder

This comment has been minimized.

Copy link
Contributor Author

commented Oct 31, 2018

[edit] @gabegorelick you are right that it actually doesn't fix the textract dependency as @arcanis pointed out.

@bugzpodder

This comment has been minimized.

Copy link
Contributor Author

commented Oct 31, 2018

yarn audit v1.12.1
error An unexpected error occurred: "Unexpected audit response (Missing Metadata): false".
info If you think this is a bug, please open a bug report with the information provided in ".../yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/audit for documentation about this command.
$ yarn-local audit
yarn audit v1.13.0-0
0 vulnerabilities found - Packages audited: 37909
✨  Done in 2.56s.```
@gabegorelick

This comment has been minimized.

Copy link

commented Oct 31, 2018

@bugzpodder My apologies. In posting a minimal repo case for #6607, it seems I got too minimal in dropping the name field from package.json and discovered another bug :)

@arcanis

This comment has been minimized.

Copy link
Member

commented Oct 31, 2018

The problem comes from empty dependencies fields (cf #6607 (comment)).

@bugzpodder, do you mind also fixing it in the same PR? It should just be a change in _mapHoistedTreesToAuditTree (something like transforming empty dependency fields to * should do the trick).

Jack Zhao and others added some commits Oct 31, 2018

Jack Zhao
@arcanis

arcanis approved these changes Nov 1, 2018

@arcanis arcanis merged commit 4b8e49e into yarnpkg:master Nov 1, 2018

0 of 2 checks passed

ci/circleci: install Your tests are queued behind your running builds
Details
continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
@arcanis

This comment has been minimized.

Copy link
Member

commented Nov 1, 2018

Perfect, thanks!

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Nov 22, 2018

yarn: Update to 1.12.3.
Changelog tracks back up to 1.12.0 only.

## 1.12.3

**Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.

- Fixes an issue with `yarn audit` when using workspaces

  [6625](yarnpkg/yarn#6639) - [**Jeff Valore**](https://twitter.com/codingwithspike)

- Uses `NODE_OPTIONS` to instruct Node to load the PnP hook, instead of raw CLI arguments

  **Caveat:** This change might cause issues for PnP users having a space inside their cwd (cf [nodejs/node24065](nodejs/node#24065))

  [6479](yarnpkg/yarn#6629) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes Gulp when used with Plug'n'Play

  [6623](yarnpkg/yarn#6623) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes an issue with `yarn audit` when the root package was missing a name

  [6611](yarnpkg/yarn#6611) - [**Jack Zhao**](https://github.com/bugzpodder)

- Fixes an issue with `yarn audit` when a package was depending on an empty range

  [6611](yarnpkg/yarn#6611) - [**Jack Zhao**](https://github.com/bugzpodder)

- Fixes an issue with how symlinks are setup into the cache on Windows

  [6621](yarnpkg/yarn#6621) - [**Yoad Snapir**](https://github.com/yoadsn)

- Upgrades `inquirer`, fixing `upgrade-interactive` for users using both Node 10 and Windows

  [6635](yarnpkg/yarn#6635) - [**Philipp Feigl**](https://github.com/pfeigl)

- Exposes the path to the PnP file using `require.resolve('pnpapi')`

  [6643](yarnpkg/yarn#6643) - [**Maël Nison**](https://twitter.com/arcanis)

## 1.12.2

This release doesn't actually exists and was caused by a quirk in our systems.

## 1.12.1

- Ensures the engine check is ran before showing the UI for `upgrade-interactive`

  [6536](yarnpkg/yarn#6536) - [**Orta Therox**](https://github.com/orta)

- Restores Node v4 support by downgrading `cli-table3`

  [6535](yarnpkg/yarn#6535) - [**Mark Stacey**](https://github.com/Gudahtt)

- Prevents infinite loop when parsing corrupted lockfiles with unterminated strings

  [4965](yarnpkg/yarn#4965) - [**Ryan Hendrickson**](https://github.com/rhendric)

- Environment variables now have to **start** with `YARN_` (instead of just contain it) to be considered

  [6518](yarnpkg/yarn#6518) - [**Michael Gmelin**](https://blog.grem.de)

- Fixes the `extensions` option when used by `resolveRequest`

  [6479](yarnpkg/yarn#6479) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes handling of empty string entries for `bin` in package.json

  [6515](yarnpkg/yarn#6515) - [**Ryan Burrows**](https://github.com/rhburrows)

- Adds support for basic auth for registries with paths, such as artifactory

  [5322](yarnpkg/yarn#5322) - [**Karolis Narkevicius**](https://twitter.com/KidkArolis)

- Adds 2FA (Two Factor Authentication) support to publish & alike

  [6555](yarnpkg/yarn#6555) - [**Krzysztof Zbudniewek**](https://github.com/neonowy)

- Fixes how the `files` property is interpreted to bring it in line with npm

  [6562](yarnpkg/yarn#6562) - [**Bertrand Marron**](https://github.com/tusbar)

- Fixes Yarn invocations on Darwin when the `yarn` binary was symlinked

  [6568](yarnpkg/yarn#6568) - [**Hidde Boomsma**](https://github.com/hboomsma)

- Fixes `require.resolve` when used together with the `paths` option

  [6565](yarnpkg/yarn#6565) - [**Maël Nison**](https://twitter.com/arcanis)

## 1.12.0

- Adds initial support for PnP on Windows

  [6447](yarnpkg/yarn#6447) - [**John-David Dalton**](https://twitter.com/jdalton)

- Adds `yarn audit` (and the `--audit` flag for all installs)

  [6409](yarnpkg/yarn#6409) - [**Jeff Valore**](https://github.com/rally25rs)

- Adds a special logic to PnP for ESLint compatibility (temporary, until [eslint/eslint10125](eslint/eslint#10125) is fixed)

  [6449](yarnpkg/yarn#6449) - [**Maël Nison**](https://twitter.com/arcanis)

- Makes the PnP hook inject a `process.versions.pnp` variable when setup (equals to `VERSIONS.std`)

  [6464](yarnpkg/yarn#6464) - [**Maël Nison**](https://twitter.com/arcanis)

- Disables by default (configurable) the automatic migration of the `integrity` field. **It will be re-enabled in 2.0.**

  [6465](yarnpkg/yarn#6465) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes the display name of the faulty package when the NPM registry returns corrupted data

  [6455](yarnpkg/yarn#6455) - [**Grey Baker**](https://github.com/greysteil)

- Prevents crashes when running `yarn outdated` and the NPM registry forgets to return the `latest` tag

  [6454](yarnpkg/yarn#6454) - [**mad-mike**](https://github.com/mad-mike)

- Fixes `yarn run` when used together with workspaces and PnP

  [6444](yarnpkg/yarn#6444) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes an edge case when peer dependencies were resolved multiple levels deep (`webpack-dev-server`)

  [6443](yarnpkg/yarn#6443) - [**Maël Nison**](https://twitter.com/arcanis)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.