Yarn: Add a flag to ignore devDependencies when running yarn audit

Created on 5 Nov 2018  路  7Comments  路  Source: yarnpkg/yarn

Do you want to request a feature or report a bug?

Feature

What is the current behavior?

When running yarn audit dev dependencies are included in the check.

If the current behavior is a bug, please provide the steps to reproduce.

What is the expected behavior?

Add a flag to ignore dev dependencies when running the audit. This has also been reported on https://github.com/npm/npm/issues/20564.

Perhaps the --production flag could be used for this?

Please mention your node.js, yarn and operating system version.

Mac: 10.14 (18A391)
Node: v8.11.3
Yarn: 1.12.1

cat-feature
Source
picture sam-warren-finnair
👍43

Most helpful comment

When running yarn audit dev dependencies are included in the check.

I'm incredibly confused by this鈥攚hen I was testing differences between yarn audit and npm audit, this was the only major difference I saw. npm checked devDependencies, whereas yarn does NOT. I checked and there are transitive dev dependencies in my example project with vulnerabilities that only npm finds, not yarn.

picture wavebeem on 12 Dec 2018
👍3

All 7 comments

As mentioned in the npm issue, using the --production flag would be a backwards incompatible change for yarn install - it would hide vulnerabilities that currently error during install.

I've submitted a PR that adds a --groups flag to yarn audit, with the currently scanned groups being the default option. If someone has a better idea for an API I'm happy to implement it.

tommilligan picture tommilligan on 27 Nov 2018

When running yarn audit dev dependencies are included in the check.

I'm incredibly confused by this鈥攚hen I was testing differences between yarn audit and npm audit, this was the only major difference I saw. npm checked devDependencies, whereas yarn does NOT. I checked and there are transitive dev dependencies in my example project with vulnerabilities that only npm finds, not yarn.

wavebeem picture wavebeem on 12 Dec 2018
👍3

@wavebeem the same happened to me. Yarn by default is only detecting vulnerabilities on the dependencies and not devDependencies. Did you find a way to detect it on both?

lneves12 picture lneves12 on 19 Feb 2019

@wavebeem It seems that using workspaces it only audits the dependencies and not devDependencies

lneves12 picture lneves12 on 19 Feb 2019

I did not find a way to change the behavior. We switched back to npm at work anyway.

wavebeem picture wavebeem on 19 Feb 2019

We're also seeing yarn audit pick up a security vulnerability in a 5 levels deep dependency of a devDependency, so it seems to do this at least under some circumstances.

robertlagrant picture robertlagrant on 27 Feb 2019
👍2

@robertlagrant it seems that if you have a single workspace project it audits all the dependencies but if it's a multi workspaces project it doesn't audit the dev dependencies. I opened an issue for that: https://github.com/yarnpkg/yarn/issues/7047

lneves12 picture lneves12 on 27 Feb 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sebmck picture sebmck  路  3Comments
NonPolynomial picture NonPolynomial  路  3Comments
Ambroos picture Ambroos  路  3Comments
victornoel picture victornoel  路  3Comments
MunifTanjim picture MunifTanjim  路  3Comments