Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

No results for yarn (berry) monorepo

See original GitHub issue

The audit-ci check in a Yarn (berry) monorepo may be incomplete. To reproduce:

Use a monorepo
Run audit-ci to only check for production dependencies
Notice you’ll see very few audit results

What happens (see here) for the line involved):

When auditing only production dependencies, then the --environment production arguments are used
When auditing any dependency (either production or dev), then the --all flag is used. The -all flag is used in yarn to specify that we want to audit all dependencies in this workspace, and not just the one in the current working dir (see here for the docs)
In other words, audit-ci is either
- checking all (both production/development) dependencies in the complete workspace
- checking only the production dependencies of the currently focused package

It seems to me that there is a misunderstanding of the -all argument. I’d argue we’d always want audit-ci to audit the complete workspace, i.e. we should always include the -all argument

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:5 (5 by maintainers)

Top GitHub Comments

1reaction

quinnturnercommented, Apr 12, 2022

Hey @kyletsang, that would be great! I am still working on a mandatory side project personally this week but can do PR reviews. I started creating some test files for the Yarn workspace (hoping for Yarn Classic and Berry): https://github.com/quinnturner/audit-ci/commit/079079b1a2c6d82973b5b2b6ce7b4aa063762aad.

0reactions

quinnturnercommented, Apr 13, 2022

Released in v6.2.0