berry icon indicating copy to clipboard operation
berry copied to clipboard
verified publisher icon yarnpkg

[Bug?]: yarn npm audit IDs are not stable

Open Fryguy opened this issue 1 year ago • 1 comments

Self-service

  • [ ] I'd be willing to implement a fix

Describe the bug

I'm using the npmAuditIgnoreAdvisories field to temporarily ignore certain advisories until I have a chance to upgrade the package. I want to do this advisory by advisory as opposed to by package because I want to be alerted on new advisories for the same package.

However, it seems the ID field from the output is not stable. For example, https://github.com/advisories/GHSA-ph58-4vrj-w6hr has changed its ID 3 times in the last few days (1091717, 1098347, and then 1098407). These fluctuations make the npmAuditIgnoreAdvisories difficult to use.

I think that every time GitHub updates their advisory database it generates a new entry in the history which is given a new ID. More speculation below in "Additional context"

To reproduce

{
  "dependencies": {
    "bootstrap": "=3.3.7"
  }
}

Environment

System:
    OS: macOS 13.6.7
    CPU: (10) arm64 Apple M1 Max
  Binaries:
    Node: 18.17.1 - /private/var/folders/47/l4t878ld45d2h11b45x88sr80000gn/T/xfs-2fe528d2/node
    Yarn: 4.3.1 - /private/var/folders/47/l4t878ld45d2h11b45x88sr80000gn/T/xfs-2fe528d2/yarn
    npm: 9.6.7 - ~/.nvm/versions/node/v18.17.1/bin/npm

Additional context

I'm not sure if this is a yarn problem, an npm problem, or a GitHub advisory database problem, so I figured I'd start here.

I'm not sure where the ID values are coming from, but I think they are somehow tied to the history of the record. For example with https://github.com/advisories/GHSA-ph58-4vrj-w6hr, the history is located at https://github.com/github/advisory-database/commits/main/advisories/github-reviewed/2019/01/GHSA-ph58-4vrj-w6hr/GHSA-ph58-4vrj-w6hr.json, and you can see there have been 2 changes recently, which corresponds with the 2 new IDs that I have seen.

My gut is telling me that all of the historical IDs need to be taken into context in order to ignore an issue, unless something significant has changed in that issue, such as the version ranges.

Alternatively, perhaps it would be possible to ignore an issue by GHSA or CVE number.

Fryguy avatar Aug 05 '24 19:08 Fryguy

Any updates on this, please? Rebuilding npmAuditIgnoreAdvisories entry every time the GitHub advisory database changes seems like a really tedious thing to do :(

raidorev avatar Sep 16 '25 15:09 raidorev