yarn-audit-html
yarn-audit-html copied to clipboard
davityavryan
Fails to generate report with Yarn 2
Yarn version: 2.4.2
Command:
yarn audit --json --environment production | yarn dlx yarn-audit-html --output audit/yarn-audit.html
Error:
package.json
{
"name": "app",
"version": "0.0.1",
"description": "app",
"scripts": {
"start": "webpack serve --progress --env development"
},
"jest-junit": {
"outputDirectory": "reports/test",
"outputName": "junit.xml"
},
"moduleRoots": [
"src"
],
"license": "UNLICENSED",
"engines": {
"node": ">=14.5.0"
},
"devDependencies": {
"@babel/core": "^7.11.6",
"@babel/eslint-parser": "^7.11.5",
"@babel/plugin-proposal-export-default-from": "^7.12.13",
"@babel/preset-env": "^7.14.2",
"@babel/preset-react": "^7.13.13",
"@commitlint/cli": "^12.1.4",
"@commitlint/config-conventional": "^12.1.4",
"@types/react": "^16.9.19",
"azure-storage": "^2.10.3",
"babel-jest": "^26.1.0",
"babel-loader": "^8.2.2",
"babel-plugin-transform-react-remove-prop-types": "^0.4.24",
"concurrently": "^6.2.0",
"copy-webpack-plugin": "^9.0.0",
"css-loader": "^5.2.6",
"cssnano": "^5.0.4",
"dotenv": "^10.0.0",
"enzyme": "^3.11.0",
"enzyme-adapter-react-16": "^1.15.6",
"enzyme-to-json": "^3.6.2",
"eslint": "^7.27.0",
"eslint-config-airbnb": "^18.2.1",
"eslint-import-resolver-webpack": "^0.13.1",
"eslint-plugin-compat": "^3.9.0",
"eslint-plugin-graphql": "^4.0.0",
"eslint-plugin-import": "^2.23.3",
"eslint-plugin-jest": "^24.3.6",
"eslint-plugin-json": "^3.0.0",
"eslint-plugin-jsx-a11y": "^6.4.1",
"eslint-plugin-react": "^7.23.2",
"eslint-plugin-react-hooks": "^4.2.0",
"eslint-plugin-unicorn": "^33.0.1",
"html-webpack-plugin": "^5.3.1",
"husky": "^6.0.0",
"identity-obj-proxy": "^3.0.0",
"jest": "^27.0.4",
"jest-junit": "^12.1.0",
"jest-localstorage-mock": "^2.4.13",
"jest-transform-graphql": "^2.1.0",
"mini-css-extract-plugin": "^1.6.0",
"npmlog": "^4.1.2",
"postcss": "^8.3.0",
"postcss-import": "^14.0.2",
"postcss-loader": "^6.1.0",
"postcss-preset-env": "^6.7.0",
"style-loader": "^2.0.0",
"stylelint": "^13.13.1",
"stylelint-config-css-modules": "^2.2.0",
"stylelint-config-standard": "^22.0.0",
"stylelint-no-unsupported-browser-features": "^5.0.1",
"terser-webpack-plugin": "^5.1.3",
"webpack": "^5.38.1",
"webpack-cli": "^4.7.0",
"webpack-deadcode-plugin": "^0.1.14",
"webpack-dev-server": "^4.0.0-beta.3",
"webpack-dotenv-plugin": "^2.1.0",
"yarn-deduplicate": "^3.1.0"
},
"dependencies": {
"@apollo/client": "^3.3.20",
"axios": "^0.21.1",
"classnames": "^2.2.6",
"core-js": "^3.13.0",
"coveralls": "^3.0.6",
"graphql": "^15.5.0",
"graphql-tag": "^2.10.3",
"history": "^4.10.1",
"minicat": "^1.0.0",
"moment": "^2.24.0",
"prop-types": "^15.7.2",
"qs": "^6.7.0",
"ramda": "^0.27.1",
"react": "^16.14.0",
"react-dom": "^16.14.0",
"react-redux": "^7.1.3",
"react-router-dom": "^5.2.0",
"redux": "^4.0.5",
"redux-form": "^8.3.0",
"redux-thunk": "^2.3.0",
"url-regex": "^5.0.0",
"uuid": "^8.3.2",
"validator": "^13.6.0"
},
"resolutions": {
"typescript": "*",
"react-with-direction": "*",
"@babel/runtime": "*"
}
}
Thanks @balovbohdan for report. Can you please provide package.json and yarn.lock files please. remove anything that is sensitive. I am only interested in dependency sections.
Thanks @balovbohdan for report. Can you please provide package.json and yarn.lock files please. remove anything that is sensitive. I am only interested in dependency sections.
Added package.json to the issue description. So, what about yarn.lock? It is rather long. Maybe it is possible to generate it using package.json I attached?
@balovbohdan it is possible but it will not be your lock file. maybe issue will be there, maybe not.
@balovbohdan I just noticed that you are using Yarn v2. it is not supported yet by this package. I am planning to work on it soon though. will keep your issue open and then report you back when it will be done ;)
@balovbohdan I just noticed that you are using Yarn v2. it is not supported yet by this package. I am planning to work on it soon though. will keep your issue open and then report you back when it will be done ;)
I see. Thanks.
If there is no much difference for you for now. then you can switch to v1 by yarn set version latest. ;)
If there is no much difference for you for now. then you can switch to v1 by
yarn set version latest. ;)
I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it 😃
I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it 😃
Understandable. ok sure. I will back to you soonish (technically it should not be difficult to support, it's just my own time management issue. Will do my best to fix it ASAP) ;)
I'm also working on migration task from yarn v1 to yarn v2. So this is not a big blocker ATM. But there are some useful features at yarn v2, and would be great to have access to it 😃
Understandable. ok sure. I will back to you soonish (technically it should not be difficult to support, it's just my own time management issue. Will do my best to fix it ASAP) ;)
Cool. Thanks a lot.
The below function should do the trick. Seems like the new yarn npm audit is in one line for the example I have and there is a new way to access the same report information.
const parseAdvisoryYarn2 = (auditAdvisory) => {
const advisoryKeys = Object.keys(auditAdvisory.advisories);
const vulnerabilities = {};
advisoryKeys.forEach((advisoryKey) => {
let advisory = auditAdvisory.advisories[advisoryKey];
advisory.findings.forEach((finding) => {
const version = finding.version;
const key = `${advisory.module_name}@${version}.${advisory.cwe}`;
advisory.key = key;
advisory.version = finding.version;
if (!(key in vulnerabilities)) {
advisory.paths = finding.paths;
vulnerabilities[key] = { ...advisory };
}
});
});
Object.entries(vulnerabilities).forEach(([key, vulnerability]) => {
vulnerabilities[key].paths = Array.from(new Set(vulnerability.paths));
});
return Object.values(vulnerabilities);
};
I added a likely faulty else if(...) statement in index.js
else if (lines.length === 1 && lines[0].trim().replace(/\s/g, '') !== '') {
const tick = lines.toJSON();
const newVulnerabilities = parseAdvisoryYarn2(tick);
newVulnerabilities.forEach((newVulnerability) => {
const key = newVulnerability.key;
if (!vulnerabilities.has(key)) {
vulnerabilities.set(key, newVulnerability);
}
});
summary = tick.metadata;
}
Example report
Would be best to try parsing the file contents first and evaluating the resulting object to determine which decoder to use for backwards compatibility I believe, but I have a very limited example to go from.
The below function should do the trick. Seems like the new yarn npm audit is in one line for the example I have and there is a new way to access the same report information.
Thanks @briggsge. As per your suggestion I am planning to release(soon) support for all stable yarn versions. So kudos to you 🙃