From 83ebfc1da3dc32972597a84c6378124ad5fbbe4f Mon Sep 17 00:00:00 2001 From: Nathan Fritz Date: Tue, 6 Dec 2022 18:17:38 -0800 Subject: [PATCH] fix: audit package mismatch in special case --- workspaces/arborist/lib/arborist/build-ideal-tree.js | 8 +++++--- workspaces/arborist/lib/vuln.js | 3 +++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/workspaces/arborist/lib/arborist/build-ideal-tree.js b/workspaces/arborist/lib/arborist/build-ideal-tree.js index 61d9c171c764f..89584e5814784 100644 --- a/workspaces/arborist/lib/arborist/build-ideal-tree.js +++ b/workspaces/arborist/lib/arborist/build-ideal-tree.js @@ -619,14 +619,16 @@ module.exports = cls => class IdealTreeBuilder extends cls { continue } - const { isSemVerMajor, version } = fixAvailable + // name may be different if parent fixes the dep + // see Vuln fixAvailable setter + const { isSemVerMajor, version, name: fixName } = fixAvailable const breakingMessage = isSemVerMajor ? 'a SemVer major change' : 'outside your stated dependency range' - log.warn('audit', `Updating ${name} to ${version}, ` + + log.warn('audit', `Updating ${fixName} to ${version}, ` + `which is ${breakingMessage}.`) - await this[_add](node, { add: [`${name}@${version}`] }) + await this[_add](node, { add: [`${fixName}@${version}`] }) nodesTouched.add(node) } } diff --git a/workspaces/arborist/lib/vuln.js b/workspaces/arborist/lib/vuln.js index 5b1483e183d5e..81b921db01ad5 100644 --- a/workspaces/arborist/lib/vuln.js +++ b/workspaces/arborist/lib/vuln.js @@ -65,6 +65,9 @@ class Vuln { // - {name, version, isSemVerMajor} fix requires -f, is semver major // - {name, version} fix requires -f, not semver major // - true: fix does not require -f + // TODO: duped entries may require different fixes but the current + // structure does not support this, so the case were a top level fix + // corrects a duped entry may mean you have to run fix more than once for (const v of this.via) { // don't blow up on loops if (v.fixAvailable === f) {