From 28b253f7b698f313c2f0f3c18907b884744ca7fe Mon Sep 17 00:00:00 2001 From: Marc Dumais Date: Wed, 5 Oct 2022 15:09:04 -0400 Subject: [PATCH] add dev-dependency: improved-yarn-audit "improved-yarn-audit" (license: MIT), complements plain "yarn audit", making audits easier to integrate in CI pipelines. The output is short and to-the-point, making it useful immediately. Simple usage examples: $> yarn run improved-yarn-audit $> yarn run improved-yarn-audit --ignore-dev-deps Here's the currint output for the Theia repo (with this PR in): $> yarn run improved-yarn-audit Improved Yarn Audit - v3.0.0 Minimum severity level to report: low Running yarn audit... Found 2 vulnerabilities Vulnerability Found: Severity: MODERATE Modules: jsdom URL: https://github.com/advisories/GHSA-f4c9-cqv8-9v98 Vulnerability Found: Severity: HIGH Modules: lerna>nx>axios URL: https://github.com/advisories/GHSA-cph5-m8f7-6c5x Signed-off-by: Marc Dumais --- package.json | 1 + yarn.lock | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/package.json b/package.json index 47b4c63d67954..bdc9460bc57e2 100644 --- a/package.json +++ b/package.json @@ -38,6 +38,7 @@ "glob": "^7.1.7", "if-env": "^1.0.4", "ignore-styles": "^5.0.1", + "improved-yarn-audit": "^3.0.0", "jsdom": "^11.5.1", "lerna": "^5.5.4", "node-gyp": "^9.0.0", diff --git a/yarn.lock b/yarn.lock index b1059f5e32280..6f6645d7c56e5 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6883,6 +6883,11 @@ import-local@^3.0.2: pkg-dir "^4.2.0" resolve-cwd "^3.0.0" +improved-yarn-audit@^3.0.0: + version "3.0.0" + resolved "https://registry.yarnpkg.com/improved-yarn-audit/-/improved-yarn-audit-3.0.0.tgz#dfb09cea1a3a92c790ea2b4056431f6fb1b99bfa" + integrity sha512-b7CrBYYwMidtPciCBkW62C7vqGjAV10bxcAWHeJvGrltrcMSEnG5I9CQgi14nmAlUKUQiSvpz47Lo3d7Z3Vjcg== + imurmurhash@^0.1.4: version "0.1.4" resolved "https://registry.yarnpkg.com/imurmurhash/-/imurmurhash-0.1.4.tgz#9218b9b2b928a238b13dc4fb6b6d576f231453ea"