djfdyuruiry/improved-yarn-audit

Same vulnerabilities reported several times

Opened this issue · 3 comments

mbertheau commented

(Very nice package, much more useful in CI!)

The same vulnerability is reported, it seems, as many times as there are modules that depend on the vulnerable package:

Improved Yarn Audit - v2.3.3

Minimum severity level to report: low
Excluded Advisories: [1693,1695]

Running yarn audit...

Found 2 vulnerabilities

8 ignored because of advisory exclusions

Vulnerability Found:

  Severity: MODERATE
  Modules: browserslist, stylelint>autoprefixer>browserslist
  URL: https://npmjs.com/advisories/1747

Vulnerability Found:

  Severity: MODERATE
  Modules: browserslist, stylelint>autoprefixer>browserslist
  URL: https://npmjs.com/advisories/1747
rickycodes commented

This is expected behavior and the default functionality for yarn audit as well:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.4.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @react-native/repo-config                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @react-native/repo-config > jest > jest-cli > @jest/core >   │
│               │ jest-runtime > jest-config > jest-environment-jsdom > jsdom  │
│               │ > ws                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1748                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.4.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @react-native/repo-config                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @react-native/repo-config > jest > jest-cli > jest-config >  │
│               │ jest-environment-jsdom > jsdom > ws                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1748                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

it's helpful to know the individual paths imo

mbertheau commented

Yarn audit outputs one table per affected path. However, in improved-yarn-audit each "Vulnerability found:" shows all the paths separated by commas, so in effect I just get n times the same "Vulnerability found:" with the same information.

  • 👍2
djfdyuruiry commented

Having a look at this currently - will see if we can remove the duplicates

  • 👍2
  • ❤️1