npm audit find vulnerability in package yarn why doesn't find












0















npm audit (and Github) find this vulnerability:



# Run  npm update macaddress --depth 5  to resolve 1 vulnerability

Critical Command Injection

Package macaddress

Dependency of css-loader [dev]

Path css-loader > cssnano > postcss-filter-plugins > uniqid >
macaddress

More info https://nodesecurity.io/advisories/654


Not only does yarn audit not find this vulnerability, yarn why isn't aware of such a dependency:



> yarn why macaddress
yarn why v1.12.3
[1/4] Why do we have the module "macaddress"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 0.66s


It also doesn't find uniqid however it does find postcss-filter-plugins.



Can anybody explain why yarn and npm seem to have a different idea on what's in the dependency tree?










share|improve this question























  • did you try yarn audit?

    – Santosh
    Jan 22 at 8:54











  • @Santosh, as I wrote yarn audit doesn't find the vulnerability.

    – Reto Gmür
    Jan 22 at 12:33
















0















npm audit (and Github) find this vulnerability:



# Run  npm update macaddress --depth 5  to resolve 1 vulnerability

Critical Command Injection

Package macaddress

Dependency of css-loader [dev]

Path css-loader > cssnano > postcss-filter-plugins > uniqid >
macaddress

More info https://nodesecurity.io/advisories/654


Not only does yarn audit not find this vulnerability, yarn why isn't aware of such a dependency:



> yarn why macaddress
yarn why v1.12.3
[1/4] Why do we have the module "macaddress"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 0.66s


It also doesn't find uniqid however it does find postcss-filter-plugins.



Can anybody explain why yarn and npm seem to have a different idea on what's in the dependency tree?










share|improve this question























  • did you try yarn audit?

    – Santosh
    Jan 22 at 8:54











  • @Santosh, as I wrote yarn audit doesn't find the vulnerability.

    – Reto Gmür
    Jan 22 at 12:33














0












0








0








npm audit (and Github) find this vulnerability:



# Run  npm update macaddress --depth 5  to resolve 1 vulnerability

Critical Command Injection

Package macaddress

Dependency of css-loader [dev]

Path css-loader > cssnano > postcss-filter-plugins > uniqid >
macaddress

More info https://nodesecurity.io/advisories/654


Not only does yarn audit not find this vulnerability, yarn why isn't aware of such a dependency:



> yarn why macaddress
yarn why v1.12.3
[1/4] Why do we have the module "macaddress"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 0.66s


It also doesn't find uniqid however it does find postcss-filter-plugins.



Can anybody explain why yarn and npm seem to have a different idea on what's in the dependency tree?










share|improve this question














npm audit (and Github) find this vulnerability:



# Run  npm update macaddress --depth 5  to resolve 1 vulnerability

Critical Command Injection

Package macaddress

Dependency of css-loader [dev]

Path css-loader > cssnano > postcss-filter-plugins > uniqid >
macaddress

More info https://nodesecurity.io/advisories/654


Not only does yarn audit not find this vulnerability, yarn why isn't aware of such a dependency:



> yarn why macaddress
yarn why v1.12.3
[1/4] Why do we have the module "macaddress"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 0.66s


It also doesn't find uniqid however it does find postcss-filter-plugins.



Can anybody explain why yarn and npm seem to have a different idea on what's in the dependency tree?







yarnpkg






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 25 '18 at 14:35









Reto GmürReto Gmür

1,1261818




1,1261818













  • did you try yarn audit?

    – Santosh
    Jan 22 at 8:54











  • @Santosh, as I wrote yarn audit doesn't find the vulnerability.

    – Reto Gmür
    Jan 22 at 12:33



















  • did you try yarn audit?

    – Santosh
    Jan 22 at 8:54











  • @Santosh, as I wrote yarn audit doesn't find the vulnerability.

    – Reto Gmür
    Jan 22 at 12:33

















did you try yarn audit?

– Santosh
Jan 22 at 8:54





did you try yarn audit?

– Santosh
Jan 22 at 8:54













@Santosh, as I wrote yarn audit doesn't find the vulnerability.

– Reto Gmür
Jan 22 at 12:33





@Santosh, as I wrote yarn audit doesn't find the vulnerability.

– Reto Gmür
Jan 22 at 12:33












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53468564%2fnpm-audit-find-vulnerability-in-package-yarn-why-doesnt-find%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53468564%2fnpm-audit-find-vulnerability-in-package-yarn-why-doesnt-find%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

404 Error Contact Form 7 ajax form submitting

How to know if a Active Directory user can login interactively

Refactoring coordinates for Minecraft Pi buildings written in Python