Add a flag to ignore devDependencies when running yarn audit #6632
Comments
ghost
assigned 
|
As mentioned in the npm issue, using the I've submitted a PR that adds a |
I'm incredibly confused by this—when I was testing differences between |
|
@wavebeem the same happened to me. Yarn by default is only detecting vulnerabilities on the dependencies and not devDependencies. Did you find a way to detect it on both? |
|
@wavebeem It seems that using workspaces it only audits the dependencies and not devDependencies |
|
I did not find a way to change the behavior. We switched back to npm at work anyway. |
|
We're also seeing yarn audit pick up a security vulnerability in a 5 levels deep dependency of a devDependency, so it seems to do this at least under some circumstances. |
|
@robertlagrant it seems that if you have a single workspace project it audits all the dependencies but if it's a multi workspaces project it doesn't audit the dev dependencies. I opened an issue for that: #7047 |
**Summary** Closes #6632. Currently `yarn audit` shows vulnerabilities for production, development and optional dependencies. It would be useful to only audit production dependencies, or select which groups of dependencies to audit.
Do you want to request a feature or report a bug?
Feature
What is the current behavior?
When running
yarn auditdev dependencies are included in the check.If the current behavior is a bug, please provide the steps to reproduce.
What is the expected behavior?
Add a flag to ignore dev dependencies when running the audit. This has also been reported on npm/npm#20564.
Perhaps the
--productionflag could be used for this?Please mention your node.js, yarn and operating system version.
Mac: 10.14 (18A391)
Node: v8.11.3
Yarn: 1.12.1
The text was updated successfully, but these errors were encountered: