Yarn Transitive Dependency Overrides Not Considered #769
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In a
yarnbased project, we have several transitive dependencies overridden in theresolutionssection of ourpackage.json. Only the version of those tranitives specified in that block are installed. Frogbot still reports vulnerabilities based on the versions in theyarn.lockfile.This might be more feature request than bug.
Current behavior
We have a project that uses
typed-scss-modules:2.0.1, which has a dependency ofpostcss:6.0.1. We also have a resolution set for transitive dependencies to usepostcss:8.4.31.When we lock dependencies with
yarn, the dependencies still show the versions according to that dependencie's own packaging. However when we install withyarn, it will install the version specified in theresolutionssection of thepackage.json.Frogbot reports the vulnerabilities in
postcss:6.0.1, despite the fact that we have a manual override and are not using that version.Reproduction steps
Given a
package.json:{ ... "devDependencies": { "typed-scss-modules": "~2.0.1", ... }, "resolutions": { "postcss": "8.4.31", .... } }Frogbot will identify a vulnerable transitive dependency of
postcss:6.0.1, despite the overridingresolutionsentry.Expected behavior
I would have expected Frogbot to take overrides into account.
JFrog Frogbot version
2.22.0
Package manager info
yarn, package.json, yarn.lock
Git provider
GitHub
JFrog Frogbot configuration yaml file
No response
Operating system type and version
Linux, ubuntu-latest on GitHub Actions
JFrog Xray version
3.105.4
The text was updated successfully, but these errors were encountered: