From 3d3defd2da90300f783b7de9ff50394470ca5742 Mon Sep 17 00:00:00 2001
From: Jeff Valore <rally25rs@yahoo.com>
Date: Mon, 5 Nov 2018 17:57:18 -0500
Subject: [PATCH 1/3] added failing test for #6625

---
 __tests__/commands/audit.js                   | 60 ++++++++++++++++++-
 .../audit/workspace/audit-api-response.json   | 18 ++++++
 .../fixtures/audit/workspace/package.json     |  8 +++
 .../workspace/packages/prj1/package.json      |  8 +++
 __tests__/fixtures/audit/workspace/yarn.lock  | 28 +++++++++
 5 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 __tests__/fixtures/audit/workspace/audit-api-response.json
 create mode 100644 __tests__/fixtures/audit/workspace/package.json
 create mode 100644 __tests__/fixtures/audit/workspace/packages/prj1/package.json
 create mode 100644 __tests__/fixtures/audit/workspace/yarn.lock

diff --git a/__tests__/commands/audit.js b/__tests__/commands/audit.js
index 9ba7c8b4c4..c796527a2e 100644
--- a/__tests__/commands/audit.js
+++ b/__tests__/commands/audit.js
@@ -105,7 +105,7 @@ test('calls reporter auditAdvisory with correct data', () => {
   });
 });
 
-// *** Test temporarily removed due to inability to correctly puggest actions to the user.
+// *** Test temporarily removed due to inability to correctly suggest actions to the user.
 // test('calls reporter auditAction with correct data', () => {
 //   return runAudit([], {}, 'single-vulnerable-dep-installed', (config, reporter) => {
 //     const apiResponse = getAuditResponse(config);
@@ -162,3 +162,61 @@ test('calls reporter auditSummary with correct data for private package', () =>
     expect(reporter.auditSummary).toBeCalledWith(apiResponse.metadata);
   });
 });
+
+test.concurrent('sends correct dependency map to audit api for workspaces.', () => {
+  const expectedApiPost = {
+    dependencies: {
+      'balanced-match': {
+        dependencies: {},
+        integrity: 'sha1-ibTRmasr7kneFk6gK4nORi1xt2c=',
+        requires: {},
+        version: '1.0.0',
+      },
+      'brace-expansion': {
+        dependencies: {},
+        integrity: 'sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==',
+        requires: {
+          'balanced-match': '^1.0.0',
+          'concat-map': '0.0.1',
+        },
+        version: '1.1.11',
+      },
+      'concat-map': {
+        dependencies: {},
+        integrity: 'sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=',
+        requires: {},
+        version: '0.0.1',
+      },
+      minimatch: {
+        dependencies: {},
+        integrity: 'sha1-UjYVelHk8ATBd/s8Un/33Xjw74M=',
+        requires: {
+          'brace-expansion': '^1.0.0',
+        },
+        version: '3.0.0',
+      },
+      prj1: {
+        dependencies: {},
+        integrity: '',
+        requires: {
+          minimatch: '3.0.0',
+        },
+        version: '0.0.0',
+      },
+    },
+    install: [],
+    metadata: {},
+    name: 'yarn-test',
+    remove: [],
+    requires: {
+      prj1: '0.0.0',
+    },
+    version: '1.0.0',
+  };
+
+  return runAudit([], {}, 'workspace', async config => {
+    const calledWithPipe = config.requestManager.request.mock.calls[0][0].body;
+    const calledWith = JSON.parse(await gunzip(calledWithPipe));
+    expect(calledWith).toEqual(expectedApiPost);
+  });
+});
diff --git a/__tests__/fixtures/audit/workspace/audit-api-response.json b/__tests__/fixtures/audit/workspace/audit-api-response.json
new file mode 100644
index 0000000000..c9171e2624
--- /dev/null
+++ b/__tests__/fixtures/audit/workspace/audit-api-response.json
@@ -0,0 +1,18 @@
+{
+  "actions": [],
+  "advisories": {},
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 0,
+      "critical": 0
+    },
+    "dependencies": 0,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 0
+  }
+}
diff --git a/__tests__/fixtures/audit/workspace/package.json b/__tests__/fixtures/audit/workspace/package.json
new file mode 100644
index 0000000000..828404e8b1
--- /dev/null
+++ b/__tests__/fixtures/audit/workspace/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "yarn-test",
+  "version": "1.0.0",
+  "main": "index.js",
+  "license": "MIT",
+  "private": true,
+  "workspaces": ["packages/*"]
+}
diff --git a/__tests__/fixtures/audit/workspace/packages/prj1/package.json b/__tests__/fixtures/audit/workspace/packages/prj1/package.json
new file mode 100644
index 0000000000..32af682e2f
--- /dev/null
+++ b/__tests__/fixtures/audit/workspace/packages/prj1/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "prj1",
+  "private": true,
+  "version": "0.0.0",
+  "dependencies": {
+    "minimatch": "3.0.0"
+  }
+}
diff --git a/__tests__/fixtures/audit/workspace/yarn.lock b/__tests__/fixtures/audit/workspace/yarn.lock
new file mode 100644
index 0000000000..5e2aa34974
--- /dev/null
+++ b/__tests__/fixtures/audit/workspace/yarn.lock
@@ -0,0 +1,28 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+balanced-match@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"
+  integrity sha1-ibTRmasr7kneFk6gK4nORi1xt2c=
+
+brace-expansion@^1.0.0:
+  version "1.1.11"
+  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
+  integrity sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==
+  dependencies:
+    balanced-match "^1.0.0"
+    concat-map "0.0.1"
+
+concat-map@0.0.1:
+  version "0.0.1"
+  resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
+  integrity sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=
+
+minimatch@3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.0.tgz#5236157a51e4f004c177fb3c527ff7dd78f0ef83"
+  integrity sha1-UjYVelHk8ATBd/s8Un/33Xjw74M=
+  dependencies:
+    brace-expansion "^1.0.0"

From fbc387ba62de7f74577489762284f2f43a49217e Mon Sep 17 00:00:00 2001
From: Jeff Valore <rally25rs@yahoo.com>
Date: Mon, 5 Nov 2018 18:19:42 -0500
Subject: [PATCH 2/3] fix(audit): Add workspaceAggregator dependencies to root
 manifest to be audited.

This change takes the packages that are included as part of the workspace and adds them to what is
sent to the npm audit api.

fixes #6625
---
 src/cli/commands/audit.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/cli/commands/audit.js b/src/cli/commands/audit.js
index 4505976f28..14c20d4a1f 100644
--- a/src/cli/commands/audit.js
+++ b/src/cli/commands/audit.js
@@ -229,12 +229,27 @@ export default class Audit {
     return responseJson;
   }
 
+  _insertWorkspacePackagesIntoManifest(manifest: Object, resolver: PackageResolver) {
+    if (resolver.workspaceLayout) {
+      const workspaceAggregatorName = resolver.workspaceLayout.virtualManifestName;
+      const workspaceManifest = resolver.workspaceLayout.workspaces[workspaceAggregatorName].manifest;
+
+      manifest.dependencies = Object.assign(manifest.dependencies || {}, workspaceManifest.dependencies);
+      manifest.devDependencies = Object.assign(manifest.devDependencies || {}, workspaceManifest.devDependencies);
+      manifest.optionalDependencies = Object.assign(
+        manifest.optionalDependencies || {},
+        workspaceManifest.optionalDependencies,
+      );
+    }
+  }
+
   async performAudit(
     manifest: Object,
     resolver: PackageResolver,
     linker: PackageLinker,
     patterns: Array<string>,
   ): Promise<AuditVulnerabilityCounts> {
+    this._insertWorkspacePackagesIntoManifest(manifest, resolver);
     const hoistedTrees = await hoistedTreeBuilder(resolver, linker, patterns);
     const auditTree = this._mapHoistedTreesToAuditTree(manifest, hoistedTrees);
     this.auditData = await this._fetchAudit(auditTree);

From 5b6cedf1ad5a6b50ed030e7cfe64959aac113754 Mon Sep 17 00:00:00 2001
From: Jeff Valore <rally25rs@yahoo.com>
Date: Mon, 5 Nov 2018 18:27:20 -0500
Subject: [PATCH 3/3] update changelog for PR 6639

---
 CHANGELOG.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5d3561550d..9276056c4f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 
 **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
 
+- Fixes an issue with `yarn audit` when using workspaces
+
+  [#6625](https://github.com/yarnpkg/yarn/pull/6639) - [**Jeff Valore**](https://twitter.com/codingwithspike)
+
 - Uses `NODE_OPTIONS` to instruct Node to load the PnP hook, instead of raw CLI arguments
 
   **Caveat:** This change might cause issues for PnP users having a space inside their cwd (cf [nodejs/node#24065](https://github.com/nodejs/node/pull/24065))
@@ -27,7 +31,7 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 - Fixes an issue with how symlinks are setup into the cache on Windows
 
   [#6621](https://github.com/yarnpkg/yarn/pull/6621) - [**Yoad Snapir**](https://github.com/yoadsn)
-  
+
 - Upgrades `inquirer`, fixing `upgrade-interactive` for users using both Node 10 and Windows
 
   [#6635](https://github.com/yarnpkg/yarn/pull/6635) - [**Philipp Feigl**](https://github.com/pfeigl)