Yarn classic's `audit` does not appear to support aliases
gabidobo opened this issue · comments
Notice the fracture in the vulnerability path below:
@pnpm/lockfile-file
has a dependency on@zkochan/js-yaml
, so the latest version (0.0.6) is installed. This dependency is aliased asjs-yaml
.- When running
yarn audit
the alias is ignored by Yarn, and we get back vulnerabilites forjs-yaml@0.0.6
instead. That specific package version is not actually installed. - We do, however, have
js-yaml@3.14.1
installed as a dependency for@yarnpkg/parsers
. That node gets wrongly labeled as a vulnerability, and looks disconnected from his path. - Reproduce by running
yarn audit
in this repo's root.
This issue is stale because it has been open for 30 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.