berry icon indicating copy to clipboard operation
berry copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

[Bug?]: "yarn npm audit --environment production --recursive" is reporting nested dev dependencies

Open hetpatel33 opened this issue 1 year ago • 4 comments

Self-service

  • [ ] I'd be willing to implement a fix

Describe the bug

If we run audit command with these options

yarn npm audit --environment production --recursive

and in your production dependencies list you have a package (PackageA) which is not vulnerable but in the dev dependencies of PackageA there is a package (PackageB) which is vulnerable, yarn audit is reporting PackageB in the audit result even though we marked environment as production only.

I went through your audit script and found that you are applying the environment check only for top level dependencies while any recursive dependencies you do run the scan. Is this expected behaviour according to yarn, as I think environment production means any nested dev dependencies should also be skipped.

https://github.com/yarnpkg/berry/blob/master/packages/plugin-npm-cli/sources/npmAuditUtils.ts#L98

To reproduce

https://github.com/HemangNakarani/yarn-test-audit

Environment

System:
    OS: macOS 13.5.2
    CPU: (12) arm64 Apple M2 Max
  Binaries:
    Node: 18.18.2 - /private/var/folders/km/ktrm8yg9523_flkm6fg725j00000gq/T/xfs-cf4b8b69/node
    Yarn: 4.1.1 - /private/var/folders/km/ktrm8yg9523_flkm6fg725j00000gq/T/xfs-cf4b8b69/yarn
    npm: 9.8.1 - ~/.nvm/versions/node/v18.18.2/bin/npm
  npmPackages:
    jest: 26.6.3 => 26.6.3

Additional context

No response

hetpatel33 avatar Apr 12 '24 04:04 hetpatel33

@arcanis can you please help with this?

hetpatel33 avatar Apr 15 '24 06:04 hetpatel33

I'm facing the same issue in our project which uses yarn workspaces. If one workspace package depends through dependencies on other workspace package, then some of its transitive development dependencies gets falsely reported by yarn npm audit --recursive --environment production --severity high , even thought this uses the --environment production option.

The workaround we did was to move workspace packages from dependencies todevDependencies (which is technically not correct but it works).

Other possible workaround is to move the problematic reported devDependencies from workspace package package.json to project root package.json.

jpikl-prgs avatar Jan 17 '25 10:01 jpikl-prgs

I suspect it this might be also related to this issue https://github.com/yarnpkg/berry/issues/5960

jpikl-prgs avatar Jan 17 '25 11:01 jpikl-prgs

Is there any update on this?

oosterholt avatar Apr 08 '25 08:04 oosterholt