-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(audit): select which dependency groups to audit #6724
Conversation
58f9d6b
to
8e999f9
Compare
8e999f9
to
0a2199d
Compare
Looks like a pragmatic solution to me (commenting here mostly to get notified if this moves forward) |
Very helpful! |
Any updates on this? |
Are any of the maintainers going to chime in here? Without this it is difficult to run audits in CI. My team is not going to stop the world because of a low severity DoS in our test runner for example. We do want to stop the world and fix a higher severity issue in a package shipped to production however. |
@arcanis - please take a look at this, thanks! |
Ping @rally25rs ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the long delay. Thanks for the contribution! 🎉
@tommilligan it looks like some of the audit unit tests now fail due to another change to audit that adds whether or not it is a dev dep. Would you mind resolving the failing tests? (or I'll see if I can push a commit to fix it...) Edit: Never mind, I figured out how to push a commit. Github really doesn't like to make it obvious 😆 |
Basic doc for yarn audit --group command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
Basic doc for yarn audit --groups command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
Basic doc for yarn audit --groups command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
Seems like a great idea but doesn't seem to work, it's complaining about devDepencencies anyway I tried both |
Summary
Closes #6632.
Currently
yarn audit
shows vulnerabilities for production, development and optional dependencies. It would be useful to only audit production dependencies, or select which groups of dependencies to audit.Test plan
master
this PR
I look forward to hearing some feedback!