New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correctly label packages as dev-only in yarn audit #6910
Conversation
…be marked as dev-only
|
@arcanis Was it a deliberate design decision that If it was deliberate decision, is there any context that would help me understand the reasoning behind it? If not, would you accept a PR that computed the dev-onlyness of the tree at install time and stored that information in the lockfile? The approach I took in this PR works okay, but it feels a little intrusive. I get the impression that yarn wants to treat packages symmetrically irrespective of whether they're dev-only or prod, but sometimes that information ends up being relevant to the human operator, I think this feature (and others) might be implemented more cleanly if we just stored that info in the lockfile. |
Packages aren't marked as dev or not dev because the lockfile only contains the information needed for the tree to be resolved, regardless of the environment (which also is the reason why, when the lockfile isn't present, dev dependencies still have to be resolved even when using |
Okay, that's fair. Any thoughts on this patch? |
@arcanis Bump |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would refrain from merging this PR. While I understand the user story, the current implementation complexifies package-hoister
which already is too complex for my taste. The maintenance cost is simply too high for the value provided.
@arcanis I agree that the implementation is pretty hairy. I built it into the hoister because I felt that that was the best place for it, semantically speaking, but it was hard to shoehorn the relevant functionality into the existing interfaces. I can see an alternative implementation that doesn't implicate the hoister. It's possible to determine which packages are strictly dev-only given just the lockfile and a list of top-level prod dependencies (with a fairly simple graph algorithm). Would you consider a patch in which I implemented the relevant algorithm in a separate file? |
Summary
yarn audit
currently does not distinguish packages that are depended on only in dev versus packages that are depended on in prod (in particular it doesn't send adev
key in the payload for the registry audit API endpoint).Because of this, the registry endpoint implicitly assumes that every package is depended on in prod, and yields
dev: false
for every finding of every advisory it uncovers, even if that instance of the package is only a (transitive) dev dependency.yarn audit --json
basically echos the response verbatim, hence those findings are incorrectly labelled as affecting production in the output.In order to fix this, I introduced some plumbing to PackageHoister, PackageLinker, and
buildTree
fromhoisted-tree-builder.js
to allow hoisted dependencies to be annotated as being depended upon only by dev packages. By sending this information as part of the audit payload, we get the correct result from the registry API for free.The plumbing I introduced would probably be useful in other commands, e.g.
yarn find
doesn't seem to distinguish dev and prod dependencies (and I would argue that it would be useful if it did). Moreover, it might also be useful to include the dev-vs.-prod status of an advisory in the human-readable output ofyarn audit
(whereas my PR adds it only to--json
). I didn't go down those rabbit holes in the interest of keeping this PR focused.Test plan
Running
yarn audit --json
and trimming out the noise:1.13.0
My PR
In the first case, the second advisory's findings are incorrectly labelled as affecting production; my PR demonstrates the correct behavior.