Cannot add an exclusion list for advisories with the GitHub URL

Question

Cannot add an exclusion list for advisories with the GitHub URL

Closed this issue 3 years ago · 7 comments

WARNING: One or more excluded audit advisories were missing from yarn audit output: 1693,1695

Probably as advisories now come from GitHub? https://github.com/advisories/GHSA-4943-9vgg-gr5r
But it doesn't allow me to use the GHSA identifier and neither the URL.

Is there a workaround to add these to an exclusion list?

Answer 1 · 2021-10-04T10:44:41.000Z

According to this article there should be a redirect on npmjs advisories pointing to GitHub - which at present it doesn't seem to be working.

Answer 2 · 2021-10-05T06:30:15.000Z

Redirects work again. This is no longer an issue.

Answer 3 · 2021-10-07T16:22:46.000Z

I think it might still be valuable to support the github advisories as well?

Answer 4 · 2021-10-07T20:26:00.000Z

@pavlakis how did you get the corresponding npmjs url? When I run this package now it only spits out GitHub advisory urls, although I can see yarn audit using npmjs urls that redirect to GitHub like you said

Answer 5 · 2021-10-07T20:30:23.000Z

@firefox0102 it stopped complaining at some point and I left it alone.

But unfortunately today the errors started coming through. So back to square one until the GH advisories are added to the exclusion list.

Answer 6 · 2021-10-07T20:33:26.000Z

I opened a PR to poke around at supporting both the npmjs urls and the new GHSA urls
#27

Answer 7 · 2021-10-08T09:46:50.000Z

Same issue, I'm waiting for the merge of the PR 👍