Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

yarn upgrade to fix yarn audit errors

Tags:

javascript

npm

gulp

yarnpkg

npm-audit

So, as of now, it appears that there is no yarn audit --fix, so I am trying to figure out how to go about fixing my yarn audit errors.

I have tried a yarn upgrade which has fixed some of the errors (which is great), but there are still several remaining.

I then tried a yarn add <package>@latest for the remaining high vulnerabilities, but it upgrades the version in my package.json, when I think the issue is coming from a dependency of a package that I am using.

Here is an example of some of my remaining errors:

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-stream > glob > minimatch             │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-stream > minimatch                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > glob >     │ │               │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch  │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate      │ Prototype Pollution                                          │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ lodash                                                       │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=4.17.11                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > lodash     │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/782                       │ └───────────────┴──────────────────────────────────────────────────────────────┘
like image 629
Ken Bigler Avatar asked Mar 12 '19 23:03

Ken Bigler

People also ask

How do you resolve yarn audit issues?

yarn-audit-fix As previously mentioned, there is no yarn audit fix command. This package attempts to replicate the npm audit fix command functionality in yarn. It can be quite a useful tool for actually fixing vulnerabilities found by other tools on this list.

What is yarn audit?

yarn audit [--verbose] [--json] [--level] [--groups]Checks for known security issues with the installed packages. The output is a list of known issues. You must be online to perform the audit. The audit will be skipped if the --offline general flag is specified.

How do you upgrade yarn?

In order to update your version of Yarn, you can run one of the following commands: npm install --global yarn - if you've installed Yarn via npm (recommended) curl --compressed -o- -L https://yarnpkg.com/install.sh | bash if you're on Unix. otherwise, check the docs of the installer you've used to install Yarn.

2 Answers

The solution to this problem in yarn is called selective version resolutions which is basically defining resolutions for the transitive dependencies in the package.json.

The transitive dependencies are the dependencies of dependencies.

{    "resolutions": { "**/**/lodash": "^4.17.12" } }

So here even if the lodash isn't a direct dependency of your package, the dependent package in your package uses the version defined in the resolutions. Specific resolutions can also be provided. More info here.

like image 172
acesmndr Avatar answered Sep 20 '22 12:09

acesmndr

While resolutions work, it is not the optimal solution, because:

  • you clutter your package.json with resolutions of transitive dependencies
  • you override the actually required version with what you think will work version. Assume A depends on B@^4.0.0 and you update B and resolve it to ^4.3.2. Some time later A gets an update and requires B@^5.0.0, but you still resolve B to ^4.3.2, which is not compatible anymore.

Here is another way to update transitive dependencies:

  1. delete the version of the dependency you want to update from yarn.lock
  2. run yarn install

This way you force yarn to resolve the dependency again and in most cases yarn will install a newer version of what you deleted from yarn.lock.

Example: let's assume that you want to update vulnerable [email protected], then you need to delete an entry like this from your yarn.lock:

[email protected]:   version "0.0.8"   resolved "http://10.0.0.1/repository/npm-registry/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"   integrity sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=

and then run yarn install.

If this doesn't help:

Try updating dependencies that are higher in the dependency chain:

  1. Run yarn why <dependency> to find out which packages pull it
  2. Go up the chain and try deleting the upper dependency in the chain from yarn.lock and then running yarn install

Example:

Here is an example, where we update a transitive dependency minimist:

$ yarn why minimist ..... => Found "mkdirp#[email protected]" info This module exists because "eslint#mkdirp" depends on it. => Found "optimist#[email protected]" info This module exists because "jest#jest-cli#@jest#core#@jest#reporters#istanbul-reports#handlebars#optimist" depends on it. .....
  1. Delete minimist entries from yarn.lock and run yarn install -> this doesn't help, presumably because mkdirp and optimist require exactly [email protected] and [email protected]
  2. Delete "direct parents" of minimist from yarn.lock: mkdirp and optimist.
  3. Run yarn install.

  4. Run yarn why minimist again:

    $ yarn why minimist ..... => Found "mkdirp#[email protected]" info This module exists because "eslint#mkdirp" depends on it. => Found "optimist#[email protected]" info This module exists because "jest#jest-cli#@jest#core#@jest#reporters#istanbul-reports#handlebars#optimist" depends on it. .....

    Here we see that [email protected] was updated to [email protected], but [email protected] still exists.

  5. Delete the next dependency in the dependency chain from yarn.lock: handlebars

  6. Run yarn install
  7. Run yarn why minimist - nothing changed, [email protected] is still there.
  8. Delete the next dependency in the chain from yarn.lock: istanbul-reports
  9. Run yarn install
  10. Run yarn why minimist: [email protected] is not there anymore, because istanbul-reports was updated.
like image 24
Andrey Vetlugin Avatar answered Sep 19 '22 12:09

Andrey Vetlugin
Sign in to Comment

Related questions

Best strategy to use HAML template with Backbone.js
javascript - Uncaught ReferenceError: keys is not defined
jQuery: Find next element that is not a sibling
Delete a specific user from Firebase
compare text inside 2 div elements using javascript or jquery
Save Async/Await response on a variable
Better way to call javascript function in a tag
Why fetch return a response with status = 0?
How can I use JavaScript or jQuery to read a pixel of an image when user clicks it?
FB.logout() called without an access token
jQuery: how to filter out non-character keys on keypress event?
Javascript && operator versus nested if statements: what is faster?
Use JavaScript to prevent a later `<script>` tag from being evaluated?
Is "clear" a reserved word in Javascript?
How to handle change text of span
What is "npm run build" in create-react-app?
Jest passing an object to expect().toBeCalledWith()
jQuery: Does adding an event listener overwrite the previous listener of the same event?
Lightweight Alternative to jQuery UI's sortable()? [closed]
JavaScript isPrototypeOf vs instanceof usage

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!