Avoid OOMs in large audit advisories #8214
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #7404 and #8012
Would supercede #7495 with the benefit of not changing the interface contract
At the moment running
yarn audit --json
on a project with a lot of dependencies when a common dependency like lodash is marked as vulnerable is likely to OOM.This doesn't affect the
console
output, because it prints out a table per-finding, wheras the JSON output prints out a line per-advisory.Changing the JSON output format to avoid this would arguably be quite a major breaking change, so instead i've done a bit of a trick to encode a smaller chunk of JSON output at a time, effectively streaming it.
The implementation i've done here is a little hacky, although it is contained to a small function and passes all the existing tests. I'm happy to refine the approach taken if the maintainers are aligned with the idea.
Test plan
yarn audit --json
still works.I haven't yet tested this against a repo that OOMed before, but I intend to do that today and I'm confident that it would work.