Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn audit --groups dependencies not working #7204

Closed
rgpass opened this issue Apr 16, 2019 · 2 comments
Closed

yarn audit --groups dependencies not working #7204

rgpass opened this issue Apr 16, 2019 · 2 comments

Comments

@rgpass
Copy link

rgpass commented Apr 16, 2019

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

$ yarn audit
Severity: 1 Moderate | 53 High

$ yarn audit --groups dependencies
Severity: 1 Moderate | 53 High

One of the 53 is:

│ high          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tslint                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tslint > js-yaml                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/813                         │

even though tslint is only a devDependency as seen in package.json:

{
  "devDependencies": {
    "tslint": "^5.15.0"
  }
}

I thought this was added with #6724.

If the current behavior is a bug, please provide the steps to reproduce.

See above.

What is the expected behavior?

I would expect it to ignore vulnerabilities from devDependencies.

Please mention your node.js, yarn and operating system version.

  • node: 10.15.1
  • yarn: 1.15.2
  • OS: macOS Mojave Version 10.14.2
@laurilaatu
Copy link

Hi,

If I am interpreting this changelog correctly, this feature is not included in version 1.15.2.

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md

@rgpass
Copy link
Author

rgpass commented Apr 18, 2019

You are correct. Good find @laurilaatu 😄

@rgpass rgpass closed this as completed Apr 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rgpass @laurilaatu