Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[prettierx] Yarn audit issues in transitive dependencies

See original GitHub issue

~~outdated postcss via outdated postcss-scss dependency - https://npmjs.com/advisories/1693~~ - no longer an issue with npm installation due to recent postcss@7.0.36 update; however PostCSS v8 update is needed since PostCSS v7 will no longer be supported ref: https://github.com/postcss/postcss/issues/1574
~~outdated trim via outdated remark-parse dependency - https://npmjs.com/advisories/1700~~ - now resolved by PR #593
Yarn audit warnings from other outdated sub-dependencies in yarn.lock

~~should be resolved by proposed update from Prettier 2.3.1 in PR #569~~

Updates:

It looks to me like the PostCSS dependencies are updated in the next branch of Prettier: https://github.com/prettier/prettier/pull/9471, https://github.com/prettier/prettier/pull/10490
Unfortunately remark-parse is still outdated in the next branch of Prettier, and it is not a simple update without using @brodybits fork (see comment below).
@ai generously patched PostCSS v7, which will not be supported any longer.

P.S. While I do not expect these issues to have much of any real-world impact in the near term, I would like to get these resolved asap.

/cc @adalinesimonian @aMarCruz @ai

Issue Analytics

State:
Created 2 years ago
Comments:18 (18 by maintainers)

Top GitHub Comments

2reactions

aicommented, Jun 11, 2021

Я говорю ☺️

1reaction

adalinesimoniancommented, Jun 15, 2021

Happy to report that in #569:

╭─adaline@ultima-weapon ~/github/brodybits/prettierx  ‹adalinesimonian/merge-prettier-2.3.1›
╰─➤  yarn audit
yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 1496
Done in 0.68s.

Top Results From Across the Web

[Feature] `yarn npm audit --fix` · Issue #3582 · yarnpkg/berry

Currently, to resolve vulnerabilities I either need to... add a resolution for the transitive dependency, run yarn install , remove the ...

yarn audit

Perform a vulnerability audit against the installed packages. yarn audit [--verbose] [--json] [--level] [--groups]. Checks for known security issues with ...

Fix npm Vulnerabilities with Yarn - rockyourcode

The solution to this problem in yarn is called selective version resolutions which is basically defining resolutions for the transitive ...

yarn upgrade to fix yarn audit errors - Stack Overflow

The solution to this problem in yarn is called selective version ... The transitive dependencies are the dependencies of dependencies.

Yarn - How to fix security issues - JavaScriptBit

Fix issues by finding with yarn audit. ... A security audit is an assessment of package dependencies for security vulnerabilities.