Open
Conversation
Yarn 4 changed `yarn npm audit --json` to an NDJSON tree-report stream
(one advisory per line, shape `{value, children: {ID, URL, Severity, ...}}`),
which is incompatible with the Yarn 2/3 aggregated report format.
This change:
- Adds a `yarnUsesBerryTreeReport` version gate (>=4.0.0) and parses the
per-line advisory format into the existing `ProcessedAdvisory` shape so
Model.process(), allowlist matching, fail-level filtering, and exit-code
semantics all behave the same as on Yarn classic / 2 / 3.
- Synthesises a per-severity summary from the stream (Yarn 4 no longer
emits a summary line) and prints it under `--report-type=important|summary`.
- Skips deprecation-only entries (lines without a GitHub advisory URL).
- Derives allowlist paths from `Dependents[]`, collapsing the root workspace
to a bare module name and prefixing non-root workspaces with their name.
- Updates README Requirements and Limitations to drop the Yarn <4 cap and
document the new behaviour.
Verified end-to-end against real Yarn 4 and npm projects: 20/20 advisories
detected on Yarn 4 (matching `yarn npm audit` baseline), 6 deprecation
lines correctly filtered out, allowlist subtraction works, npm/pnpm paths
unchanged from main.
Signed-off-by: Baf <26187677+Bafff@users.noreply.github.com>
Bafff
force-pushed
the
fix/yarn-4-tree-report
branch
from
826b4b3 to
1b554a8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #332.
Summary
Yarn 4 changed
yarn npm audit --jsonto an NDJSON tree-report stream (one advisory per line, shape{value, children: {ID, URL, Severity, ...}}), which is incompatible with the Yarn 2/3 aggregated report format. With v7.1.0 the parser silently emits zero findings on any Yarn 4 project.This PR adds a dedicated Yarn 4 branch that:
yarnUsesBerryTreeReport(>=4.0.0) and parses each NDJSON line into the existingProcessedAdvisoryshape, so allowlist matching, fail levels, exit codes, andaudit-ci.jsoncconfig behave exactly as on Yarn classic / 2 / 3.--report-type=important|summary.https://github.com/advisories/...URL) to matchnpm audit/ Yarn 2/3 parity.Dependents[], collapsing the root workspace (workspace:.) to a bare module name and prefixing non-root workspaces with their workspace name (so allowlist entries likeGHSA-…|my-workspace>qskeep working).<4.0.0cap) and Limitations (replaces the "not supported" note with a description of the new behaviour).The npm and pnpm code paths are not touched — the change is gated entirely behind
isYarnBerryV4.Test plan
test/yarn-4-auditor.spec.ts(10 tests) covers: severity gating, allowlist by id, allowlist by dependents path, synthesised summary forsummaryandimportantreport types, deprecation-line filtering for both summary and important output. All pass against bundled Yarn 4.2.2.test/yarn-4-deprecation-summary/exercises a real lockfile where Yarn 4 emits both deprecation lines (inflight) and a critical advisory (open) — only the advisory ends up in findings/summary.yarn npm audit --jsonbaseline, 6 deprecation lines correctly filtered, allowlist subtraction works (3 allowlisted → 17 failed; all 20 allowlisted → exit 0 "Passed yarn security audit").main(76 advisories on both), confirming the npm path is unaffected.tsc --noEmitclean.