[Bug?]: "yarn npm audit --environment production --recursive" is reporting nested dev dependencies #6222
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Self-service
Describe the bug
If we run audit command with these options
yarn npm audit --environment production --recursiveand in your production dependencies list you have a package (PackageA) which is not vulnerable but in the dev dependencies of PackageA there is a package (PackageB) which is vulnerable, yarn audit is reporting PackageB in the audit result even though we marked environment as production only.
I went through your audit script and found that you are applying the environment check only for top level dependencies while any recursive dependencies you do run the scan. Is this expected behaviour according to yarn, as I think environment production means any nested dev dependencies should also be skipped.
https://github.com/yarnpkg/berry/blob/master/packages/plugin-npm-cli/sources/npmAuditUtils.ts#L98
To reproduce
https://github.com/HemangNakarani/yarn-test-audit
Environment
System: OS: macOS 13.5.2 CPU: (12) arm64 Apple M2 Max Binaries: Node: 18.18.2 - /private/var/folders/km/ktrm8yg9523_flkm6fg725j00000gq/T/xfs-cf4b8b69/node Yarn: 4.1.1 - /private/var/folders/km/ktrm8yg9523_flkm6fg725j00000gq/T/xfs-cf4b8b69/yarn npm: 9.8.1 - ~/.nvm/versions/node/v18.18.2/bin/npm npmPackages: jest: 26.6.3 => 26.6.3Additional context
No response
The text was updated successfully, but these errors were encountered: