Do you want to request a feature or report a bug?
bug
What is the current behavior?
yarn audit doesn't report vulnerable dependencies in a yarn workspace package, even though the vulnerable package is listed in yarn.lock
If the current behavior is a bug, please provide the steps to reproduce.
make a repo using yarn workspaces, add [email protected] as a dependency in one of the workspaces, run yarn install and yarn audit
Here's an example repo that reproduces the issue:
https://github.com/gdamjan/yarn-audit-workspaces-example
What is the expected behavior?
yarn audit should report the vulnerability of a dependency listed in yarn.lock
Please mention your node.js, yarn and operating system version.
damjan docker $ node --version
v8.12.0
damjan docker $ yarn --version
1.12.1
damjan docker $ cat /etc/os-release
NAME="Arch Linux"
Do you want to request a feature or report a bug?
bug
What is the current behavior?
yarn audit doesn't report vulnerable dependencies in a yarn workspace package, even though the vulnerable package is listed in yarn.lock
If the current behavior is a bug, please provide the steps to reproduce.
make a repo using yarn workspaces, add [email protected] as a dependency in one of the workspaces, run
yarn installandyarn auditHere's an example repo that reproduces the issue:
https://github.com/gdamjan/yarn-audit-workspaces-example
What is the expected behavior?
yarn audit should report the vulnerability of a dependency listed in yarn.lock
Please mention your node.js, yarn and operating system version.