yarn audit --groups dependencies not working

[rgpass]

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

$ yarn audit
Severity: 1 Moderate | 53 High

$ yarn audit --groups dependencies
Severity: 1 Moderate | 53 High

One of the 53 is:

│ high          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tslint                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tslint > js-yaml                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/813                         │

even though tslint is only a devDependency as seen in package.json:

{
  "devDependencies": {
    "tslint": "^5.15.0"
  }
}

I thought this was added with #6724.

If the current behavior is a bug, please provide the steps to reproduce.

See above.

What is the expected behavior?

I would expect it to ignore vulnerabilities from devDependencies.

Please mention your node.js, yarn and operating system version.

• node: 10.15.1
• yarn: 1.15.2
• OS: macOS Mojave Version 10.14.2

[laurilaatu]

Hi,

If I am interpreting this changelog correctly, this feature is not included in version 1.15.2.

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md

[rgpass]

You are correct. Good find @laurilaatu 😄