Commit fe64476

authored

Updates the audit implementation to the bulk endpoint (#5501)

**What's the problem this PR addresses?** The current audit implementation uses the older `/audit/quick` endpoint, which has various problems. One particular is that its design requires to submit a nested payload, but since it doesn't make much sense in our case (because most of Yarn installs are flat), we flatten the package list. It causes problems when multiple packages with different versions can be found in the tree. Fixes #3861 Fixes #4117 Fixes #5408 Closes #5409 (Supercedes it) --- Edit by @merceyz Fixes #5450 Fixes #2507 Fixes #3778 Fixes #3945 Closes #5309 (Doesn't have a reproduction so I'm assuming it's the same as the others) --- **How did you fix it?** This change rewrites `yarn npm audit` to use the new endpoint. As part of the migration a couple of fields are reworked (`Via` is replaced by `Dependents`, the versions are now part of a tree item rather than concatenated, we don't get the "recommendation" anymore). The options remain the same for now. It's possible that some registries don't support the bulk endpoint. Given that it's fairly straightforward to implement, that it's been released for some time now, and that without it we would end up with an invalid `audit` implementation, I'd tend to let them deal with that. **Checklist**    - [x] I have read the [Contributing Guide](https://yarnpkg.com/advanced/contributing).   - [x] I have set the packages that need to be released for my changes to be effective.   - [x] I will check that all automated PR checks pass before the PR gets reviewed.

1 parent 116d897 commit fe64476Copy full SHA for fe64476

File tree

62 files changed

+1667

-1569

lines changed

.pnp.cjs
.yarn
- cache
- versions
  - 9161855d.yml
CHANGELOG.md
package.json
packages
- acceptance-tests
  - pkg-tests-core
    - package.json
    - sources/utils
      - tests.ts
  - pkg-tests-fixtures/packages
    - vulnerable-1.0.0
      - index.js
      - package.json
      - vulnerable-1.1.0 copy
        index.js
        package.json
      - vulnerable-1.1.0
        index.js
        package.json
    - vulnerable-1.1.0
      - index.js
      - package.json
    - vulnerable-dep-1.0.0
      - index.js
      - package.json
    - vulnerable-dep-1.1.0
      - index.js
      - package.json
    - vulnerable-many-1.0.0
      - index.js
      - package.json
      - vulnerable-1.1.0
        index.js
        package.json
    - vulnerable-peer-deps-1.0.0
      - index.js
      - package.json
      - vulnerable-1.1.0
        index.js
        package.json
    - vulnerable-peer-deps-1.1.0
      - index.js
      - package.json
  - pkg-tests-specs/sources/commands/npm
    - audit.test.ts
- plugin-constraints
  - package.json
- plugin-dlx
  - package.json
- plugin-essentials
  - package.json
- plugin-git
  - package.json
- plugin-init
  - package.json
- plugin-interactive-tools
  - package.json
- plugin-nm
  - package.json
- plugin-npm-cli
  - package.json
  - sources
    - commands/npm
      - audit.ts
    - index.ts
    - npmAuditTypes.ts
    - npmAuditUtils.ts
  - tests
    - npmAuditUtils.test.js
- plugin-pack
  - package.json
- plugin-patch
  - package.json
- plugin-pnpm
  - package.json
- plugin-pnp
  - package.json
- plugin-stage
  - package.json
- plugin-version
  - package.json
- plugin-workspace-tools
  - package.json
- yarnpkg-builder
  - package.json
- yarnpkg-cli
  - package.json
- yarnpkg-core
  - package.json
  - sources
    - treeUtils.ts
- yarnpkg-doctor
  - package.json
- yarnpkg-pnpify
  - package.json
- yarnpkg-sdks
  - package.json
- yarnpkg-shell
  - package.json
yarn.lock

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

62 files changed

+1667

-1569

lines changed

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,35 @@`
	`1`	`+releases:`
	`2`	`+ "@yarnpkg/builder": major`
	`3`	`+ "@yarnpkg/cli": major`
	`4`	`+ "@yarnpkg/core": major`
	`5`	`+ "@yarnpkg/doctor": major`
	`6`	`+ "@yarnpkg/plugin-constraints": major`
	`7`	`+ "@yarnpkg/plugin-dlx": major`
	`8`	`+ "@yarnpkg/plugin-essentials": major`
	`9`	`+ "@yarnpkg/plugin-git": major`
	`10`	`+ "@yarnpkg/plugin-init": major`
	`11`	`+ "@yarnpkg/plugin-interactive-tools": major`
	`12`	`+ "@yarnpkg/plugin-nm": major`
	`13`	`+ "@yarnpkg/plugin-npm-cli": major`
	`14`	`+ "@yarnpkg/plugin-pack": major`
	`15`	`+ "@yarnpkg/plugin-patch": major`
	`16`	`+ "@yarnpkg/plugin-pnp": major`
	`17`	`+ "@yarnpkg/plugin-pnpm": major`
	`18`	`+ "@yarnpkg/plugin-stage": major`
	`19`	`+ "@yarnpkg/plugin-version": major`
	`20`	`+ "@yarnpkg/plugin-workspace-tools": major`
	`21`	`+ "@yarnpkg/pnpify": major`
	`22`	`+ "@yarnpkg/sdks": major`
	`23`	`+ "@yarnpkg/shell": major`
	`24`	`+`
	`25`	`+declined:`
	`26`	`+ - "@yarnpkg/plugin-compat"`
	`27`	`+ - "@yarnpkg/plugin-exec"`
	`28`	`+ - "@yarnpkg/plugin-file"`
	`29`	`+ - "@yarnpkg/plugin-github"`
	`30`	`+ - "@yarnpkg/plugin-http"`
	`31`	`+ - "@yarnpkg/plugin-link"`
	`32`	`+ - "@yarnpkg/plugin-npm"`
	`33`	`+ - "@yarnpkg/plugin-typescript"`
	`34`	`+ - "@yarnpkg/extensions"`
	`35`	`+ - "@yarnpkg/nm"`

`‎CHANGELOG.md‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ Yarn now accepts sponsorships! Please give a look at our [OpenCollective](https:`
`19`	`19`	- The network settings configuration option has been renamed from `caFilePath` to `httpsCaFilePath`.
`20`	`20`	- `yarn workspaces foreach` now automatically enables the `-v,--verbose` flag in interactive terminal environments.
`21`	`21`	- `yarn npm audit` no longer takes into account publish registries. Use [`npmAuditRegistry`](https://yarnpkg.com/configuration/yarnrc#npmAuditRegistry) instead.
	`22`	+- `yarn npm audit` has been fully rewritten to use the newer `/-/npm/v1/security/advisories/bulk` endpoint. Make sure your registry supports it, and let them know you need it otherwise (in the meantime you can use `npmAuditRegistry` to send your audit queries to the npm registry).
`22`	`23`	- The `--assume-fresh-project` flag of `yarn init` has been removed. Should only affect people initializing Yarn 4+ projects using a Yarn 2 binary.
`23`	`24`	- `yarn init` no longer enables zero-installs by default.
`24`	`25`	- Yarn will no longer remove the old Yarn 2.x `.pnp.js` file when migrating.

`‎package.json‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`"@yarnpkg/fslib": "workspace:^",`
`20`	`20`	`"@yarnpkg/libzip": "workspace:^",`
`21`	`21`	`"@yarnpkg/sdks": "workspace:^",`
`22`		`- "clipanion": "^3.2.0-rc.10",`
	`22`	`+ "clipanion": "^3.2.1",`
`23`	`23`	`"esbuild-wasm": "0.17.5",`
`24`	`24`	`"eslint": "^8.2.0",`
`25`	`25`	`"jest": "^29.2.1",`

`‎packages/acceptance-tests/pkg-tests-core/package.json‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`"@yarnpkg/core": "workspace:^",`
`19`	`19`	`"@yarnpkg/fslib": "workspace:^",`
`20`	`20`	`"@yarnpkg/parsers": "workspace:^",`
	`21`	`+ "@yarnpkg/plugin-npm-cli": "workspace:^",`
`21`	`22`	`"finalhandler": "^1.1.2",`
`22`	`23`	`"invariant": "^2.2.4",`
`23`	`24`	`"pem": "dexus/pem",`
`@@ -37,6 +38,7 @@`
`37`	`38`	`"node": ">=14.15.0"`
`38`	`39`	`},`
`39`	`40`	`"dependencies": {`
	`41`	`+ "typanion": "^3.12.1",`
`40`	`42`	`"uuid": "^8.3.2"`
`41`	`43`	`}`
`42`	`44`	`}`

`‎packages/acceptance-tests/pkg-tests-core/sources/utils/tests.ts‎`

Lines changed: 82 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,6 @@`
	`1`	`+import {semverUtils} from '@yarnpkg/core';`
`1`	`2`	`import {PortablePath, npath, toFilename, xfs, ppath, Filename} from '@yarnpkg/fslib';`
	`3`	`+import {npmAuditTypes} from '@yarnpkg/plugin-npm-cli';`
`2`	`4`	`import assert from 'assert';`
`3`	`5`	`import crypto from 'crypto';`
`4`	`6`	`import finalhandler from 'finalhandler';`
`@@ -12,6 +14,7 @@ import pem from 'pem';`
`12`	`14`	`import semver from 'semver';`
`13`	`15`	`import serveStatic from 'serve-static';`
`14`	`16`	`import stream from 'stream';`
	`17`	`+import * as t from 'typanion';`
`15`	`18`	`import {promisify} from 'util';`
`16`	`19`	`import {v5 as uuidv5} from 'uuid';`
`17`	`20`	`import {Gzip} from 'zlib';`
`@@ -53,6 +56,7 @@ export enum RequestType {`
`53`	`56`	Whoami = `whoami`,
`54`	`57`	Repository = `repository`,
`55`	`58`	Publish = `publish`,
	`59`	+ BulkAdvisories = `bulkAdvisories`,
`56`	`60`	`}`
`57`	`61`
`58`	`62`	`export type Request = {`
`@@ -76,6 +80,8 @@ export type Request = {`
`76`	`80`	`type: RequestType.Publish;`
`77`	`81`	`scope?: string;`
`78`	`82`	`localName: string;`
	`83`	`+} \| {`
	`84`	`+ type: RequestType.BulkAdvisories;`
`79`	`85`	`};`
`80`	`86`
`81`	`87`	`export class Login {`
`@@ -108,6 +114,42 @@ export class Login {`
`108`	`114`	`}`
`109`	`115`	`}`
`110`	`116`
	`117`	`+export const ADVISORIES = new Map<string, Array<npmAuditTypes.AuditMetadata>>([`
	`118`	+ [`vulnerable`, [{
	`119`	`+ id: 1,`
	`120`	+ url: `https://example.com/advisories/1`,
	`121`	+ title: `Something is wrong`,
	`122`	`+ severity: npmAuditTypes.Severity.High,`
	`123`	+ vulnerable_versions: `<1.1.0`,
	`124`	`+ }]],`
	`125`	+ [`vulnerable-peer-deps`, [{
	`126`	`+ id: 2,`
	`127`	+ url: `https://example.com/advisories/2`,
	`128`	+ title: `Something else is wrong`,
	`129`	`+ severity: npmAuditTypes.Severity.High,`
	`130`	+ vulnerable_versions: `<1.1.0`,
	`131`	`+ }]],`
	`132`	+ [`vulnerable-many`, [{
	`133`	`+ id: 3,`
	`134`	+ url: `https://example.com/advisories/3`,
	`135`	+ title: `Something is wrong`,
	`136`	`+ severity: npmAuditTypes.Severity.High,`
	`137`	+ vulnerable_versions: `<1.1.0`,
	`138`	`+ }, {`
	`139`	`+ id: 4,`
	`140`	+ url: `https://example.com/advisories/4`,
	`141`	+ title: `Something is still wrong`,
	`142`	`+ severity: npmAuditTypes.Severity.High,`
	`143`	+ vulnerable_versions: `<1.1.0`,
	`144`	`+ }, {`
	`145`	`+ id: 5,`
	`146`	+ url: `https://example.com/advisories/5`,
	`147`	+ title: `Something is always wrong`,
	`148`	`+ severity: npmAuditTypes.Severity.High,`
	`149`	+ vulnerable_versions: `<1.1.0`,
	`150`	`+ }]],`
	`151`	`+]);`
	`152`	`+`
`111`	`153`	`export const validLogins = {`
`112`	`154`	fooUser: new Login(`foo-user`),
`113`	`155`	barUser: new Login(`bar-user`),
`@@ -440,6 +482,7 @@ export const startPackageServer = ({type}: { type: keyof typeof packageServerUrl`
`440`	`482`	`async [RequestType.Repository](parsedRequest, request, response) {`
`441`	`483`	`staticServer(request as any, response as any, finalhandler(request, response));`
`442`	`484`	`},`
	`485`	`+`
`443`	`486`	`async [RequestType.Publish](parsedRequest, request, response) {`
`444`	`487`	`if (parsedRequest.type !== RequestType.Publish)`
`445`	`488`	throw new Error(`Assertion failed: Invalid request type`);
`@@ -472,6 +515,41 @@ export const startPackageServer = ({type}: { type: keyof typeof packageServerUrl`
`472`	`515`	`return response.end(rawData);`
`473`	`516`	`});`
`474`	`517`	`},`
	`518`	`+`
	`519`	`+ async [RequestType.BulkAdvisories](parsedRequest, request, response) {`
	`520`	`+ if (parsedRequest.type !== RequestType.BulkAdvisories)`
	`521`	+ throw new Error(`Assertion failed: Invalid request type`);
	`522`	`+`
	`523`	+ let rawData = ``;
	`524`	`+`
	`525`	+ request.on(`data`, chunk => rawData += chunk);
	`526`	+ request.on(`end`, () => {
	`527`	`+ let body;`
	`528`	`+ try {`
	`529`	`+ body = JSON.parse(rawData);`
	`530`	`+ } catch (e) {`
	`531`	+ return processError(response, 401, `Invalid`);
	`532`	`+ }`
	`533`	`+`
	`534`	`+ t.assertWithErrors(body, t.isRecord(t.isArray(t.isString())));`
	`535`	`+`
	`536`	`+ const result = Object.create(null);`
	`537`	`+ for (const [packageName, versions] of Object.entries(body)) {`
	`538`	`+ const advisories = [];`
	`539`	`+`
	`540`	`+ for (const advisory of ADVISORIES.get(packageName) ?? [])`
	`541`	`+ if (versions.some(version => semverUtils.satisfiesWithPrereleases(version, advisory.vulnerable_versions)))`
	`542`	`+ advisories.push(advisory);`
	`543`	`+`
	`544`	`+ if (advisories.length > 0) {`
	`545`	`+ result[packageName] = advisories;`
	`546`	`+ }`
	`547`	`+ }`
	`548`	`+`
	`549`	+ response.writeHead(200, {[`Content-Type`]: `application/json`});
	`550`	`+ return response.end(JSON.stringify(result));`
	`551`	`+ });`
	`552`	`+ },`
`475`	`553`	`};`
`476`	`554`
`477`	`555`	`const sendError = (res: ServerResponse, statusCode: number, errorMessage: string): void => {`
`@@ -508,6 +586,10 @@ export const startPackageServer = ({type}: { type: keyof typeof packageServerUrl`
`508`	`586`	`// Set later when login is parsed`
`509`	`587`	`login: null as any,`
`510`	`588`	`};`
	`589`	+ } else if (url === `/-/npm/v1/security/advisories/bulk`) {
	`590`	`+ return {`
	`591`	`+ type: RequestType.BulkAdvisories,`
	`592`	`+ };`
`511`	`593`	} else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)$/)) && method == `PUT`) {
`512`	`594`	`const [, scope, localName] = match;`
`513`	`595`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit fe64476

File tree

62 files changed

Some content is hidden

62 files changed

`‎.pnp.cjs‎`

`‎.yarn/cache/clipanion-npm-3.2.0-rc.10-b702c05bd9-d3b6454c9e.zip‎`

`‎.yarn/cache/clipanion-npm-3.2.1-fc9187f56c-6f757bde93.zip‎`

`‎.yarn/cache/typanion-npm-3.12.1-788497c54f-492540c6ac.zip‎`

`‎.yarn/cache/typanion-npm-3.3.2-81374d30a8-e67391884a.zip‎`

`‎.yarn/versions/9161855d.yml‎`

`‎CHANGELOG.md‎`

`‎package.json‎`

`‎packages/acceptance-tests/pkg-tests-core/package.json‎`

`‎packages/acceptance-tests/pkg-tests-core/sources/utils/tests.ts‎`

0 commit comments