Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn audit doesn't report vulnerable dependencies in a yarn workspace package #6625

Closed
gdamjan opened this issue Nov 2, 2018 · 5 comments · Fixed by #6639
Closed

yarn audit doesn't report vulnerable dependencies in a yarn workspace package #6625

gdamjan opened this issue Nov 2, 2018 · 5 comments · Fixed by #6639
Assignees
@rally25rs @imsnif
Labels
cat-bug

Comments

@gdamjan
Copy link

gdamjan commented Nov 2, 2018

Do you want to request a feature or report a bug?

bug

What is the current behavior?

yarn audit doesn't report vulnerable dependencies in a yarn workspace package, even though the vulnerable package is listed in yarn.lock

If the current behavior is a bug, please provide the steps to reproduce.

make a repo using yarn workspaces, add minimatch@3.0.0 as a dependency in one of the workspaces, run yarn install and yarn audit

Here's an example repo that reproduces the issue:
https://github.com/gdamjan/yarn-audit-workspaces-example

What is the expected behavior?

yarn audit should report the vulnerability of a dependency listed in yarn.lock

Please mention your node.js, yarn and operating system version.

damjan docker $ node --version
v8.12.0
damjan docker $ yarn --version
1.12.1
damjan docker $ cat /etc/os-release 
NAME="Arch Linux"
@ghost ghost assigned imsnif Nov 2, 2018
@ghost ghost added the triaged label Nov 2, 2018
@gdamjan
Copy link
Author

gdamjan commented Nov 2, 2018 

$ yarn audit
yarn audit v1.12.1
0 vulnerabilities found - Packages audited: 0
Done in 1.20s.

it's interesting that github did recognize the vulnerability
image

@arcanis
Copy link
Member

arcanis commented Nov 2, 2018

Ping @rally25rs?

@rally25rs
Copy link
Contributor

Looks like this ends up happening because the root package doesn't have a real dependency on it's workspaces.

If the root workspace is named yarn-test and has:

{
  "name": "yarn-test",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "private": true,
  "dependencies": {},
  "workspaces": ["packages/*"]
}

and a single workspace package packages/prj1

then what we send to the npm api is:

{
  "name": "yarn-test",
  "version": "1.0.0",
  "install": [],
  "remove": [],
  "metadata": {},
  "requires": {},
  "dependencies": {
    "prj1": {
      "version": "0.0.0",
      "integrity": "",
      "requires": {
        "minimatch": "3.0.0"
      },
      "dependencies": {}
    },
...etc

the "requires": {}, hash needs to include all the workspace packages (prj1 in this example).

@rally25rs rally25rs added cat-bug and removed triaged labels Nov 5, 2018
@rally25rs rally25rs self-assigned this Nov 5, 2018
@gdamjan
Copy link
Author

gdamjan commented Nov 5, 2018

what is cat-bug?

@rally25rs
Copy link
Contributor

@gdamjan "category - bug". It's just a tag we use to track what issues are confirmed bugs, which are feature requests, etc.

rally25rs added a commit to rally25rs/yarn that referenced this issue Nov 5, 2018
@rally25rs
added failing test for yarnpkg#6625
3d3defd
rally25rs added a commit to rally25rs/yarn that referenced this issue Nov 5, 2018
@rally25rs
fix(audit): Add workspaceAggregator dependencies to root manifest to …
fbc387b 
…be audited.

This change takes the packages that are included as part of the workspace and adds them to what is
sent to the npm audit api.

fixes yarnpkg#6625
@rally25rs rally25rs mentioned this issue Nov 5, 2018
Merged
arcanis pushed a commit that referenced this issue Nov 7, 2018
@rally25rs @arcanis
fix(audit) Report vulnerabilities in workspace package dependencies (#…
f8e42c5 
…6639)

* added failing test for #6625

* fix(audit): Add workspaceAggregator dependencies to root manifest to be audited.

This change takes the packages that are included as part of the workspace and adds them to what is
sent to the npm audit api.

fixes #6625

* update changelog for PR 6639
@karlhorky karlhorky mentioned this issue Jan 11, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rally25rs rally25rs

@imsnif imsnif

Labels
cat-bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(audit) Report vulnerabilities in workspace package dependencies rally25rs/yarn
4 participants
@rally25rs @gdamjan @imsnif @arcanis