-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(audit) Initial addition of yarn audit command. #6409
Conversation
Added "yarn audit" command which copies the behavior of "npm audit". Unline npm, yarn does not automatically run "audit" during "add/install/upgrade" commands. Since this would cause an additional network call, it broke all existing unit tests to add this feature and have it run automatically. In the interest of getting an initial release in the hands of our users the "add/install/upgrade" commands accept a "--audit" flag that will enable the audit. If you want audit to always execute, you can add "--*.audit true" to .yarnrc fix yarnpkg#5808
|
Hey Jeff! Thanks for your work on this! A few comments:
I'm also not convinced by the workflow - right now you must add
What do you think? |
Wait, sorry, missed that the I'd also maybe suggest to make |
@@ -628,12 +668,24 @@ export class Install { | |||
for (const step of steps) { | |||
const stepResult = await step(++currentStep, steps.length); | |||
if (stepResult && stepResult.bailout) { | |||
if (this.flags.audit) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this works - when running install --audit
twice, the second time I get no reports
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's because the bailout is done at the end of the resolution step, before the audit gets initialized
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I'm pretty sure yarn just bails before it gets that far, like it would have during a normal install
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it should be safe to disable the integrity check altogether when --audit
is set.
that was my original intent, like npm does, but it breaks all the existing unit tests because it has to make a network call. if you can think of a way to mock out that request by default for all tests, that would be great. Also I think in Discord @BYK said he was a bit concerned about adding another network call.
I think I left a comment in the code where I could bailout if there are errors, but npm doesn't by default. Prompting the user gets tricky because what if this is in a CI environment or --non-interactive is passed.
Is this just on a In addition I noticed a couple other ... oddities. This command uses npm's api and half the code is a copy/paste from them, but yarn audit reports more errors than npm audit does. In the case I saw, npm wasn't reporting errors that were from a transitive dep of a github repo dependency. When the npm audit API sends back a "resolution recommendation" it wants tot ell the user to run example:
where
but |
OK I think this should be in a good place for an initial release. It's not feature-rich, but it does report audit problems correctly at this point. |
Looks good to me! I'll merge the changelog, update this PR, and merge it 👍 |
nsp has been retired and 'npm audit' is the recommended alternative. Since yarnpkg/yarn#6409 yarn v1.12.0 has an audit capability. Use that instead.
I believe this PR is the reason the nightly tests on Ubuntu 16.0.4 have been failing. The dependency The reason the other end-to-end tests aren't affected is that they use Node v6. I don't yet know why the other tests aren't failing on Node v4. Perhaps this library is never invoked outside of the end-to-end tests. |
Changelog tracks back up to 1.12.0 only. ## 1.12.3 **Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal. - Fixes an issue with `yarn audit` when using workspaces [6625](yarnpkg/yarn#6639) - [**Jeff Valore**](https://twitter.com/codingwithspike) - Uses `NODE_OPTIONS` to instruct Node to load the PnP hook, instead of raw CLI arguments **Caveat:** This change might cause issues for PnP users having a space inside their cwd (cf [nodejs/node24065](nodejs/node#24065)) [6479](yarnpkg/yarn#6629) - [**Maël Nison**](https://twitter.com/arcanis) - Fixes Gulp when used with Plug'n'Play [6623](yarnpkg/yarn#6623) - [**Maël Nison**](https://twitter.com/arcanis) - Fixes an issue with `yarn audit` when the root package was missing a name [6611](yarnpkg/yarn#6611) - [**Jack Zhao**](https://github.com/bugzpodder) - Fixes an issue with `yarn audit` when a package was depending on an empty range [6611](yarnpkg/yarn#6611) - [**Jack Zhao**](https://github.com/bugzpodder) - Fixes an issue with how symlinks are setup into the cache on Windows [6621](yarnpkg/yarn#6621) - [**Yoad Snapir**](https://github.com/yoadsn) - Upgrades `inquirer`, fixing `upgrade-interactive` for users using both Node 10 and Windows [6635](yarnpkg/yarn#6635) - [**Philipp Feigl**](https://github.com/pfeigl) - Exposes the path to the PnP file using `require.resolve('pnpapi')` [6643](yarnpkg/yarn#6643) - [**Maël Nison**](https://twitter.com/arcanis) ## 1.12.2 This release doesn't actually exists and was caused by a quirk in our systems. ## 1.12.1 - Ensures the engine check is ran before showing the UI for `upgrade-interactive` [6536](yarnpkg/yarn#6536) - [**Orta Therox**](https://github.com/orta) - Restores Node v4 support by downgrading `cli-table3` [6535](yarnpkg/yarn#6535) - [**Mark Stacey**](https://github.com/Gudahtt) - Prevents infinite loop when parsing corrupted lockfiles with unterminated strings [4965](yarnpkg/yarn#4965) - [**Ryan Hendrickson**](https://github.com/rhendric) - Environment variables now have to **start** with `YARN_` (instead of just contain it) to be considered [6518](yarnpkg/yarn#6518) - [**Michael Gmelin**](https://blog.grem.de) - Fixes the `extensions` option when used by `resolveRequest` [6479](yarnpkg/yarn#6479) - [**Maël Nison**](https://twitter.com/arcanis) - Fixes handling of empty string entries for `bin` in package.json [6515](yarnpkg/yarn#6515) - [**Ryan Burrows**](https://github.com/rhburrows) - Adds support for basic auth for registries with paths, such as artifactory [5322](yarnpkg/yarn#5322) - [**Karolis Narkevicius**](https://twitter.com/KidkArolis) - Adds 2FA (Two Factor Authentication) support to publish & alike [6555](yarnpkg/yarn#6555) - [**Krzysztof Zbudniewek**](https://github.com/neonowy) - Fixes how the `files` property is interpreted to bring it in line with npm [6562](yarnpkg/yarn#6562) - [**Bertrand Marron**](https://github.com/tusbar) - Fixes Yarn invocations on Darwin when the `yarn` binary was symlinked [6568](yarnpkg/yarn#6568) - [**Hidde Boomsma**](https://github.com/hboomsma) - Fixes `require.resolve` when used together with the `paths` option [6565](yarnpkg/yarn#6565) - [**Maël Nison**](https://twitter.com/arcanis) ## 1.12.0 - Adds initial support for PnP on Windows [6447](yarnpkg/yarn#6447) - [**John-David Dalton**](https://twitter.com/jdalton) - Adds `yarn audit` (and the `--audit` flag for all installs) [6409](yarnpkg/yarn#6409) - [**Jeff Valore**](https://github.com/rally25rs) - Adds a special logic to PnP for ESLint compatibility (temporary, until [eslint/eslint10125](eslint/eslint#10125) is fixed) [6449](yarnpkg/yarn#6449) - [**Maël Nison**](https://twitter.com/arcanis) - Makes the PnP hook inject a `process.versions.pnp` variable when setup (equals to `VERSIONS.std`) [6464](yarnpkg/yarn#6464) - [**Maël Nison**](https://twitter.com/arcanis) - Disables by default (configurable) the automatic migration of the `integrity` field. **It will be re-enabled in 2.0.** [6465](yarnpkg/yarn#6465) - [**Maël Nison**](https://twitter.com/arcanis) - Fixes the display name of the faulty package when the NPM registry returns corrupted data [6455](yarnpkg/yarn#6455) - [**Grey Baker**](https://github.com/greysteil) - Prevents crashes when running `yarn outdated` and the NPM registry forgets to return the `latest` tag [6454](yarnpkg/yarn#6454) - [**mad-mike**](https://github.com/mad-mike) - Fixes `yarn run` when used together with workspaces and PnP [6444](yarnpkg/yarn#6444) - [**Maël Nison**](https://twitter.com/arcanis) - Fixes an edge case when peer dependencies were resolved multiple levels deep (`webpack-dev-server`) [6443](yarnpkg/yarn#6443) - [**Maël Nison**](https://twitter.com/arcanis)
Summary
Adds the
yarn audit
command.Adds the
--audit
flag toyarn add / install / upgrade
Currently the functionality is fairly basic. It roughly copies the initial audit release of npm including the style of reporting.
The
audit
command will return 0 if no issues are found, otherwise returns non-0 exit code.Unlike npm, yarn doesn't currently auto-run audit on add/install/upgrade. Partly this is due to the additional network call and a lack of an easy way to mock it during unit tests, so every unit test tries to hit npm's API to audit the packages being "installed" during unit tests.
To run an audit during add/install/upgrade, please specify the
--audit
flag.If the
--offline
flag is specified along with--audit
then audit will be skipped (and a message noting this will be printed)If you would like audit to always be run, you can add to the
.yarnrc
file:implements #5808
Test plan
Added some basic unit tests.
When reporting audit issues, please run with
--verbose
and include the "Audit API Request" and "Audit API Response" JSON.