[Bug?]: yarn npm audit mismatches a dependency version #5408
Labels
bug
Something isn't working
Comments
joostvdwsd
pushed a commit
to joostvdwsd/yarn-berry
that referenced
this issue
Apr 25, 2023
3 tasks
3 tasks
arcanis
added a commit
that referenced
this issue
Jun 16, 2023
**What's the problem this PR addresses?** The current audit implementation uses the older `/audit/quick` endpoint, which has various problems. One particular is that its design requires to submit a nested payload, but since it doesn't make much sense in our case (because most of Yarn installs are flat), we flatten the package list. It causes problems when multiple packages with different versions can be found in the tree. Fixes #3861 Fixes #4117 Fixes #5408 Closes #5409 (Supercedes it) --- Edit by @merceyz Fixes #5450 Fixes #2507 Fixes #3778 Fixes #3945 Closes #5309 (Doesn't have a reproduction so I'm assuming it's the same as the others) --- **How did you fix it?** This change rewrites `yarn npm audit` to use the new endpoint. As part of the migration a couple of fields are reworked (`Via` is replaced by `Dependents`, the versions are now part of a tree item rather than concatenated, we don't get the "recommendation" anymore). The options remain the same for now. It's possible that some registries don't support the bulk endpoint. Given that it's fairly straightforward to implement, that it's been released for some time now, and that without it we would end up with an invalid `audit` implementation, I'd tend to let them deal with that. **Checklist** <!--- Don't worry if you miss something, chores are automatically tested. --> <!--- This checklist exists to help you remember doing the chores when you submit a PR. --> <!--- Put an `x` in all the boxes that apply. --> - [x] I have read the [Contributing Guide](https://yarnpkg.com/advanced/contributing). <!-- See https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released for more details. --> <!-- Check with `yarn version check` and fix with `yarn version check -i` --> - [x] I have set the packages that need to be released for my changes to be effective. <!-- The "Testing chores" workflow validates that your PR follows our guidelines. --> <!-- If it doesn't pass, click on it to see details as to what your PR might be missing. --> - [x] I will check that all automated PR checks pass before the PR gets reviewed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Self-service
Describe the bug
Scenario:
Expected results
Actual real life results:
Tried to attach a sherlock but the vm was crashing. Included a repoducable package.json
To reproduce
{
"name": "yarnissue",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
"patch-package": "6.5.1",
"yaml": "2.2.2"
},
"packageManager": "yarn@3.5.0"
}
yarn
yarn why yaml
yarn npm audit
Environment
System: OS: macOS 12.6.1 CPU: (10) arm64 Apple M1 Pro Binaries: Node: 14.21.1 - /private/var/folders/v2/8k7t9jzj0ts0w2l2n72v2g6nc928z9/T/xfs-34fccac8/node Yarn: 3.5.0 - /private/var/folders/v2/8k7t9jzj0ts0w2l2n72v2g6nc928z9/T/xfs-34fccac8/yarn npm: 6.14.18 - ~/.nvm/versions/node/v14.21.1/bin/npmAdditional context
No response
The text was updated successfully, but these errors were encountered: