Support Yarn v4

[mistaecko]

Running audit-ci with yarn 4.1.1 is broken, and does not report vulnerabilities at all.

It seems that v4 introduced major changes to the json output format of yarn npm audit that break audit-ci.

Example output in a project with vulnerabilities:

$ npx audit-ci
audit-ci version: 6.6.1
Yarn Berry audit report results:
undefined
undefined
[truncated]
undefined
undefined
Passed yarn security audit.

I updated one of the existing tests in test/yarn-berry-moderate to use yarn 4, and it (obviously) fails.

[quinnturner]

I am definitely interested in supporting this. I have some draft PRs that touch on adding test cases. I hope to release support in audit-ci v7.

[quinnturner]

After further investigation, Yarn v4 seems to support many of audit-ci's features directly: documentation on yarn npm audit.

With the recently released audit-ci v7, I decided not to support Yarn v4 out of the gate because I wanted to see feedback from the community before investing the time into supporting it.

The main functional gap in Yarn v4's implementation is that it doesn't support audit-ci's NSPRecord` feature, which allows you to set advisories' expiry.

In the meantime, I've documented that Yarn v4 is not supported in the README. Accordingly, I am removing the bug label.

If you're still interested in supporting it, let me know!

[hwo411]

+1 for this

[quinnturner]

@hwo411 I am open to supporting it, it's not a ton of work. Have you tried using Yarn v4's native audit management with allowlists? If you have and you have found a gap that audit-ci fills well, I am interested!

[mistaecko]

@quinnturner I haven't explored yarn 4's npm audit in detail yet. What immediately stood out to me though was the lack of a file-based configuration and ignore list. Of course, creating a wrapper script around the native yarn audit which provides that functionality is not a huge lift, but still something that needs to be documented, maintained, and published (or copy/pasted ugh).

audit-ci provides a nice abstraction across different package managers (and their versions). It enables a consistent mechanism to configure and manage audits in an org with a large number of repos that are - for various reasons - using different package managers and versions.

[hwo411]

@quinnturner thanks!

It's very well explain by @mistaecko what are the downsides of the npm audit/yarn audit. I think it's quite inconvenient if you need to switch the tool if you decide to start with or migrate to yarn v4 + you need to implement missing features yourself.

[Maartenbuit]

Im up for conversion :)

If anyone has some issues, we are using yarn 4+ but use yarn 1.22 for audit-ci specifically. You could still use this command from your package.json:

"auditPackages": "npx yarn@1.22.19 audit-ci --config ./audit-ci.jsonc"

[christian-schwaderer]

If anyone has some issues, we are using yarn 4+ but use yarn 1.22 for audit-ci specifically. You could still use this command from your package.json:

"auditPackages": "npx yarn@1.22.19 audit-ci --config ./audit-ci.jsonc"

Thanks for that hint! It works for me. Nice work around after migrating from Yarn 1 to Yarn 4. However, it's significantly slower than before when I had Yarn 1 in my repo.

So, I'm also for Yarn 4 support in audit-ci! Especially because of the config file option.