Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn audit does not report vulnerabilities in a Yarn Workspace reported by npm audit and GitHub #6909

Open
karlhorky opened this issue Jan 11, 2019 · 4 comments
Open

yarn audit does not report vulnerabilities in a Yarn Workspace reported by npm audit and GitHub #6909

karlhorky opened this issue Jan 11, 2019 · 4 comments
Assignees
@imsnif
Labels
triaged

Comments

@karlhorky
Copy link

karlhorky commented Jan 11, 2019
edited
Loading

Do you want to request a feature or report a bug?

Bug.

What is the current behavior?

In a Yarn Workspaces package, yarn audit reports 0 vulnerabilities found in a workspace package, where npm audit reports 3 vulnerabilities (1 low, 2 high) and GitHub reports 1 low:

yarn audit:

➜  2018-08-30-react-sao-paulo-the-effect-of-react-on-web-standards git:(master) yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 44932
✨  Done in 4.83s.

npm audit:

➜  2018-08-30-react-sao-paulo-the-effect-of-react-on-web-standards git:(master) ✗ npm audit

                       === npm audit security report ===

# Run  npm install --save-dev [email protected]  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ surge [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ surge > fstream-ignore > minimatch                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ surge [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ surge > cli-table2 > lodash                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 high) in 12699 scanned packages
  1 vulnerability requires semver-major dependency updates.
  2 vulnerabilities require manual review. See the full report for details.

GitHub audit:

screen shot 2019-01-11 at 15 45 23

It seems to me to be a problem with Yarn Workspaces because if I move the package.json out into another folder and yarn and yarn audit, the vulnerabilities are reported.

If the current behavior is a bug, please provide the steps to reproduce.

git clone [email protected]:karlhorky/talks.git
cd talks/packages/2018-08-30-react-sao-paulo-the-effect-of-react-on-web-standards
yarn
yarn audit
npm install
npm audit

Repo: https://github.com/karlhorky/talks/

What is the expected behavior?

yarn audit reports the vulnerabilities in Yarn Workspace packages.

Please mention your node.js, yarn and operating system version.

➜ npm -v
6.5.0
➜ yarn -v
1.13.0

macOS Mojave 10.14.2 (18C54)
@ghost ghost assigned imsnif Jan 11, 2019
@ghost ghost added the triaged label Jan 11, 2019
@karlhorky karlhorky mentioned this issue Jan 11, 2019
Closed
@karlhorky
Copy link
Author

Sounds similar to #6625

cc @rally25rs

@rally25rs
Copy link
Contributor

I thought this would have been fixed by f8e42c5 but you are on a yarn version that has this change, so maybe there is a second issue 🤔

I'll try to find some time to reproduce this (unless someone else beats me to it)

@millerthegorilla
Copy link

millerthegorilla commented Mar 18, 2020
edited
Loading

Sorry to bump an old issue but fyi, I have this problem also. Running yarn audit --verbose, indicates that yarn uses a different repository for checking packages to npm.
https://registry.yarnpkg.com/-/npm/v1/security/audits
In my case, a dependency of several node modules has a prototype vulnerability, and npm audit reports them, whilst yarn audit does not.
I am currently trying a "resolutions": { section in package.json to see if I can update that dependency independently to a new version.

@nicod-pc
Copy link

nicod-pc commented Aug 4, 2023
edited
Loading

I just have the problem with devDependencies as reported in #7047. dependencies are working in workspaces as well.
#8078 claims that devDependencies are checked with yarn install --audit but not with yarn audit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@imsnif imsnif

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rally25rs @imsnif @karlhorky @millerthegorilla @nicod-pc