Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(audit): select which dependency groups to audit #6724

Merged
merged 3 commits into from
Mar 16, 2019

Conversation

tommilligan
Copy link
Contributor

@tommilligan tommilligan commented Nov 27, 2018

Summary

Closes #6632.

Currently yarn audit shows vulnerabilities for production, development and optional dependencies. It would be useful to only audit production dependencies, or select which groups of dependencies to audit.

Test plan

master
$ yarn audit --prod
...
9 vulnerabilities found - Packages audited: 31177
Severity: 9 Low
Done in 2.24s.
this PR
$ yarn audit --groups dependencies
...
0 vulnerabilities found - Packages audited: 442
Done in 2.08s.

I look forward to hearing some feedback!

@tommilligan tommilligan changed the title audit: respect production flag in audit and install commands feat(audit): select which dependency groups to audit Nov 28, 2018
@Jalle19
Copy link

Jalle19 commented Nov 28, 2018

Looks like a pragmatic solution to me (commenting here mostly to get notified if this moves forward)

@syrnick
Copy link

syrnick commented Dec 11, 2018

Very helpful!

@Jalle19
Copy link

Jalle19 commented Jan 7, 2019

Any updates on this?

@charrondev
Copy link

charrondev commented Feb 18, 2019

Are any of the maintainers going to chime in here? Without this it is difficult to run audits in CI. My team is not going to stop the world because of a low severity DoS in our test runner for example. We do want to stop the world and fix a higher severity issue in a package shipped to production however.

@iflp
Copy link

iflp commented Mar 14, 2019

@arcanis - please take a look at this, thanks!

@arcanis
Copy link
Member

arcanis commented Mar 14, 2019

Ping @rally25rs ?

Copy link
Contributor

@rally25rs rally25rs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the long delay. Thanks for the contribution! 🎉

@rally25rs
Copy link
Contributor

rally25rs commented Mar 15, 2019

@tommilligan it looks like some of the audit unit tests now fail due to another change to audit that adds whether or not it is a dev dep. Would you mind resolving the failing tests? (or I'll see if I can push a commit to fix it...)


Edit:

Never mind, I figured out how to push a commit. Github really doesn't like to make it obvious 😆

@rally25rs rally25rs merged commit 6dbedcc into yarnpkg:master Mar 16, 2019
sarod added a commit to sarod/website-1 that referenced this pull request Mar 3, 2020
Basic doc for  yarn audit --group command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
sarod added a commit to sarod/website-1 that referenced this pull request Mar 3, 2020
Basic doc for  yarn audit --groups command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
Haroenv pushed a commit to yarnpkg/website that referenced this pull request Mar 3, 2020
Basic doc for  yarn audit --groups command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
@OZZlE
Copy link

OZZlE commented May 24, 2021

Seems like a great idea but doesn't seem to work, it's complaining about devDepencencies anyway

I tried both yarn audit --prod and yarn audit --groups dependencies it still reports devDepencencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add a flag to ignore devDependencies when running yarn audit
8 participants