Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

yarn audit fails due to cli dependency `size-plugin`.

See original GitHub issue

Do you want to request a feature or report a bug? Bug

What is the current behaviour? Dependency from preact-cli, size-plugin, cause yarn audit to fail from an axios vulnerability.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ preact-cli                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ preact-cli > size-plugin > axios                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1594                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

If the current behaviour is a bug, please provide the steps to reproduce.

What is the expected behaviour?

yarn audit should be passed

If this is a feature request, what is motivation or use case for changing the behaviour?

Please mention other relevant information.

Please paste the results of preact info here.

Environment Info: System: OS: macOS 10.15.7 CPU: (8) x64 Intel® Core™ i7-8559U CPU @ 2.70GHz Binaries: Node: 14.8.0 - /usr/local/bin/node Yarn: 1.22.4 - /usr/local/bin/yarn npm: 6.14.7 - /usr/local/bin/npm Browsers: Chrome: 87.0.4280.141 Firefox: 80.0.1 Safari: 14.0.1

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:10 (5 by maintainers)

Top GitHub Comments

2reactions

rschristiancommented, Jan 29, 2021

The PR to fix this upstream has been merged in, so the “vulnerability” should be gone. Closing this.

Let me know if anyone is still having issues. You might need to regen your lock files.

1reaction

harrier-lcccommented, Jan 12, 2021

What? It’s definitely in the package.json too, right here: https://github.com/preactjs/preact-cli/blob/master/packages/cli/package.json#L125

This is a mono-repo, top level package.json isn’t a package itself, just a collection of tools. Each individual packages lives in /packages/{x}. In the CLI’s case, that’s /packages/cli

Oops, I must be blind to not see this 🙈

Let me change the description of this quickly

Thanks for your quick reply 😃

Top Results From Across the Web

yarn audit

Perform a vulnerability audit against the installed packages. yarn audit [--verbose] [--json] [--level] [--groups]. Checks for known security issues with ...

Yarn audit fix: workaround - DEV Community ‍ ‍

Issue. Auditing and updating dependencies is an important part of the code lifecycle. There are different approaches to implement this task: ...

yarn-audit-fix - npm Package Health Analysis - Snyk

CLI ; --force, Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones, false ; --help/-h, Print help message ;...

yarn upgrade to fix yarn audit errors - Stack Overflow

The solution to this problem in yarn is called selective version resolutions which is basically defining resolutions for the transitive ...

Audit | npm.io

snyk library and cli utility ... Audits NPM, Yarn, and PNPM projects in CI environments ... Aids humans and automation in managing npm...