You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
yarn npm audit --environment production --recursive
and in your production dependencies list you have a package (PackageA) which is not vulnerable but in the dev dependencies of PackageA there is a package (PackageB) which is vulnerable, yarn audit is reporting PackageB in the audit result even though we marked environment as production only.
I went through your audit script and found that you are applying the environment check only for top level dependencies while any recursive dependencies you do run the scan. Is this expected behaviour according to yarn, as I think environment production means any nested dev dependencies should also be skipped.
Self-service
Describe the bug
If we run audit command with these options
yarn npm audit --environment production --recursive
and in your production dependencies list you have a package (PackageA) which is not vulnerable but in the dev dependencies of PackageA there is a package (PackageB) which is vulnerable, yarn audit is reporting PackageB in the audit result even though we marked environment as production only.
I went through your audit script and found that you are applying the environment check only for top level dependencies while any recursive dependencies you do run the scan. Is this expected behaviour according to yarn, as I think environment production means any nested dev dependencies should also be skipped.
https://github.com/yarnpkg/berry/blob/master/packages/plugin-npm-cli/sources/npmAuditUtils.ts#L98
To reproduce
https://github.com/HemangNakarani/yarn-test-audit
Environment
Additional context
No response
The text was updated successfully, but these errors were encountered: