Same vulnerabilities reported several times
Opened this issue · 3 comments
mbertheau commented
(Very nice package, much more useful in CI!)
The same vulnerability is reported, it seems, as many times as there are modules that depend on the vulnerable package:
Improved Yarn Audit - v2.3.3
Minimum severity level to report: low
Excluded Advisories: [1693,1695]
Running yarn audit...
Found 2 vulnerabilities
8 ignored because of advisory exclusions
Vulnerability Found:
Severity: MODERATE
Modules: browserslist, stylelint>autoprefixer>browserslist
URL: https://npmjs.com/advisories/1747
Vulnerability Found:
Severity: MODERATE
Modules: browserslist, stylelint>autoprefixer>browserslist
URL: https://npmjs.com/advisories/1747
rickycodes commented
This is expected behavior and the default functionality for yarn audit
as well:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.4.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @react-native/repo-config │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @react-native/repo-config > jest > jest-cli > @jest/core > │
│ │ jest-runtime > jest-config > jest-environment-jsdom > jsdom │
│ │ > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1748 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.4.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @react-native/repo-config │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @react-native/repo-config > jest > jest-cli > jest-config > │
│ │ jest-environment-jsdom > jsdom > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1748 │
└───────────────┴──────────────────────────────────────────────────────────────┘
it's helpful to know the individual paths imo
mbertheau commented
Yarn audit outputs one table per affected path. However, in improved-yarn-audit each "Vulnerability found:" shows all the paths separated by commas, so in effect I just get n times the same "Vulnerability found:" with the same information.
djfdyuruiry commented
Having a look at this currently - will see if we can remove the duplicates