yarnpkg
[Bug?]: yarn npm audit [prod env] shows indirect devDependency when direct dependency is present
Self-service
- [ ] I'd be willing to implement a fix
Describe the bug
npm audit --environment production is showing me audit issues where there are devDependencies that include a package that I directly include in dependencies.
I don't expect devDependencies to be included when --environment production is set.
Worked example with axios:
yarn why axios
├─ @datadog/datadog-ci@npm:2.23.0
│ └─ axios@npm:0.21.4 (via npm:0.21.4)
│
└─ local@workspace:.
└─ axios@npm:1.6.1 (via npm:^1.6.1)
Will give me
yarn npm audit --environment production
└─ axios: 0.21.4
├─ ID: 1094762
├─ Issue: Axios Cross-Site Request Forgery Vulnerability
├─ URL: https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
├─ Severity: moderate
├─ Vulnerable Versions: >=0.8.1 <1.6.0
├─ Patched Versions: >=1.6.0
├─ Via: axios
└─ Recommendation: Upgrade to version 1.6.0 or later
If I remove the axios from dependencies, then the audit passes.
To reproduce
Add a dependency and then devDependency which itself depends on the first item.
"dependencies": {
"axios": "^1.6.1"
},
"devDependencies": {
"@datadog/datadog-ci": "^2.23.0"
}
Environment
System:
OS: Windows 10 10.0.19045
CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
Binaries:
Node: 18.13.0 - ~\AppData\Local\Temp\xfs-adb536b2\node.CMD
Yarn: 3.6.4 - ~\AppData\Local\Temp\xfs-adb536b2\yarn.CMD
npm: 8.19.3 - C:\Program Files\nodejs\npm.CMD
Additional context
No response
I don't follow - you have axios in your dependencies, why shouldn't --environment production report it?
I don't follow - you have
axiosin yourdependencies, why shouldn't--environment productionreport it?
because the version in the direct dependencies is a valid patched version, and that's what will be deployed to production. The devDependencies that indirectly include the older axios version should be ignored, no?
