Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Github Security Alerts not being created when yarn.lock contain multiple resolved packages #3198

Closed
mehagar opened this issue Feb 25, 2021 · 4 comments
Labels

Comments

@mehagar
Copy link

mehagar commented Feb 25, 2021

My repo has a yarn.lock that resolves to multiple versions of the same package, so it looks like this:

elliptic@^6.0.0:
  version "6.4.0"
  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.4.0.tgz#cac9af8762c85836187003c8dfe193e5e2eae5df"
  dependencies:
    bn.js "^4.4.0"
    brorand "^1.0.1"
    hash.js "^1.0.0"
    hmac-drbg "^1.0.0"
    inherits "^2.0.1"
    minimalistic-assert "^1.0.0"
    minimalistic-crypto-utils "^1.0.0"

elliptic@^6.5.2:
  version "6.5.3"
  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.3.tgz#cb59eb2efdaf73a0bd78ccd7015a62ad6e0f93d6"
  integrity sha512-IMqzv5wNQf+E6aHeIqATs0tOLeOTwj1QKbRcS3jBbYkl5oLAserA8yJTT7/VyHUYG91PRmPyeQDObKLPpeS4dw==
  dependencies:
    bn.js "^4.4.0"
    brorand "^1.0.1"
    hash.js "^1.0.0"
    hmac-drbg "^1.0.0"
    inherits "^2.0.1"
    minimalistic-assert "^1.0.0"
    minimalistic-crypto-utils "^1.0.0"

That first package should trigger an alert because of this security advisory: GHSA-vh7m-p724-62c2
But it doesn’t. I suspect that the security alerts don’t work properly when there are multiple resolved packages.

Package manager/ecosystem
yarn.lock

Manifest contents prior to update

Updated dependency

What you expected to see, versus what you actually saw

I expected there to be a PR created for updating the elliptic package.

@mehagar mehagar added the T: bug 🐞 Something isn't working label Feb 25, 2021
@asciimike
Copy link
Contributor

I'm curious, why do you have two different versions of the same package? I assume that the Dependency Graph sees that you've got a version that's patched, so it doesn't raise the alert.

@mehagar
Copy link
Author

mehagar commented Mar 2, 2021

@asciimike I'm not exactly sure how we got into this situation, but I suspect it is because of how Yarn's dependency resolution algorithm works. There is even a separate deduplication tool here that is used exactly for this purpose.

@mehagar
Copy link
Author

mehagar commented Mar 15, 2021

This just started working for me, and Dependabot created an update to fix the issue by deduplicating the packages, which is what I want. I'm not sure whether there was a change to fix this or not.

Edit: NVM, I made a change to yarn.lock, then Dependabot detected this elliptic issue, but there are still others that it has not created a security updated for. This other one looks like:

serialize-javascript@5.0.1:
  version "5.0.1"
  resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-5.0.1.tgz#7886ec848049a462467a97d3d918ebb2aaf934f4"
  integrity sha512-SaaNal9imEO737H2c05Og0/8LUXG7EnsZyMa8MzkmuHoELfT6txuj0cMqRj6zfPKnmQ1yasR4PCJc8x+M4JSPA==
  dependencies:
    randombytes "^2.1.0"

serialize-javascript@^1.4.0:
  version "1.4.0"
  resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-1.4.0.tgz#7c958514db6ac2443a8abc062dc9f7886a7f6005"

serialize-javascript@^2.1.0:
  version "2.1.1"
  resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-2.1.1.tgz#952907a04a3e3a75af7f73d92d15e233862048b2"
  integrity sha512-MPLPRpD4FNqWq9tTIjYG5LesFouDhdyH0EPY3gVK4DRD5+g4aDqdNSzLIwceulo3Yj+PL1bPh6laE5+H6LTcrQ==

serialize-javascript@^3.1.0:
  version "3.1.0"
  resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-3.1.0.tgz#8bf3a9170712664ef2561b44b691eafe399214ea"
  integrity sha512-JIJT1DGiWmIKhzRsG91aS6Ze4sFUrYbltlkg2onR5OrnNM02Kl/hnY/T4FN2omvyeBbQmMJv+K4cPOpGzOTFBg==
  dependencies:
    randombytes "^2.1.0"

Which should have triggered a security update because of this CVE.

feelepxyz added a commit that referenced this issue Jul 15, 2021
* [`013f0262d`](npm/cli@013f026)
  [#3469](npm/cli#3469)
  fix(exitHandler): write code to logfile
  ([@wraithgar](https://github.com/wraithgar))
* [`0dd0341ac`](npm/cli@0dd0341)
  [#3474](npm/cli#3474)
  fix(ping): make "npm ping" echo a right time
  ([@aluneed](https://github.com/aluneed))
* [`d2e298f3c`](npm/cli@d2e298f)
  [#3484](npm/cli#3484)
  fix(deprecate): add undeprecate support
  ([@wraithgar](https://github.com/wraithgar))

  ### DOCUMENTATION

* [`9dd32d08e`](npm/cli@9dd32d0)
  [#3485](npm/cli#3485)
  fix(docs): remove npm package config override
  ([@wraithgar](https://github.com/wraithgar))
* [`a4e095618`](npm/cli@a4e0956)
  [#3486](npm/cli#3486)
  fix(docs): remove .hooks scripts
  ([@wraithgar](https://github.com/wraithgar))

* [`5f8ccccef`](npm/cli@5f8cccc)
  [#3483](npm/cli#3483)
  chore(tests): clean snapshot for lib/view.js tests
  ([@wraithgar](https://github.com/wraithgar))

* [`23ce3af19`](npm/cli@23ce3af)
  [#3460](npm/cli#3460)
  feat(ls): report *why* something is invalid
  ([@isaacs](https://github.com/isaacs))

* [`53f81af31`](npm/cli@53f81af)
  [#3450](npm/cli#3450)
  fix(docs): Improve phrasing of workspace example
  ([@lumaxis](https://github.com/lumaxis))
* [`78da60ffe`](npm/cli@78da60f)
  [#3454](npm/cli#3454)
  chore(linting): add bin and clean up lib/ls.js
* [`54eae3063`](npm/cli@54eae30)
  [#3416](npm/cli#3416)
  chore(errorHandler): rename to exit handler
  ([@wraithgar](https://github.com/wraithgar))
* [`d0f50b156`](npm/cli@d0f50b1)
  [#3451](npm/cli#3451)
  chore(refactor): async npm.load
  ([@wraithgar](https://github.com/wraithgar))
* [`87f67d9ef`](npm/cli@87f67d9)
  [#3458](npm/cli#3458)
  chore(tests): expose real mock npm object
  ([@wraithgar](https://github.com/wraithgar))
* [`f3dce0917`](npm/cli@f3dce09)
  [#3459](npm/cli#3459)
  chore(config): snapshot config descriptions
  ([@wraithgar](https://github.com/wraithgar))
* [`6254b6f72`](npm/cli@6254b6f)
  [#3234](npm/cli#3234)
  [#3455](npm/cli#3455)
  @npmcli/package-json refactor
  ([@ruyadorno](https://github.com/ruyadorno))

* [`fe4138381`](npm/cli@fe41383)
  `@npmcli/arborist@2.6.4`:
  * bin: allow turning off timer display with --timers=false
  * fix: do not try to inflate a fresh lockfile
  * fix(diff): walk target children if root is a link
  * chore: @npmcli/package-json refactor

* [`fce30e423`](npm/cli@fce30e4)
  [#3435](npm/cli#3435)
  fix(docs): rebuild config docs
  ([@wraithgar](https://github.com/wraithgar))

* [`ae285b391`](npm/cli@ae285b3)
  [#3408](npm/cli#3408)
  feat(ls): support `--package-lock-only` flag
  ([@G-Rath](https://github.com/G-Rath))
* [`c984fb59c`](npm/cli@c984fb5)
  [#3420](npm/cli#3420)
  feat(pack): add pack-destination config
  ([@wraithgar](https://github.com/wraithgar))

* [`40829ec40`](npm/cli@40829ec)
  [#2554](npm/cli#2554)
  [#3399](npm/cli#3399)
  fix(link): do not prune packages
  ([@ruyadorno](https://github.com/ruyadorno))
* [`102d4e6fb`](npm/cli@102d4e6)
  [#3417](npm/cli#3417)
  fix(workspaces): explicitly error in global mode
  ([@wraithgar](https://github.com/wraithgar))
* [`993df3041`](npm/cli@993df30)
  [#3423](npm/cli#3423)
  fix(docs): ls command usage instructions
  ([@gurdiga](https://github.com/gurdiga))
* [`dcc13662c`](npm/cli@dcc1366)
  [#3418](npm/cli#3418)
  fix(config): update link definition
  ([@wraithgar](https://github.com/wraithgar))
* [`b19e56c2e`](npm/cli@b19e56c)
  [#3382](npm/cli#3382)
  [#3429](npm/cli#3429)
  fix(ls): respect prod config for workspaces
  ([@ruyadorno](https://github.com/ruyadorno))
* [`c99b8b53c`](npm/cli@c99b8b5)
  [#3430](npm/cli#3430)
  fix(config): add flatOptions.npxCache
  ([@wraithgar](https://github.com/wraithgar))
* [`e5abf2a21`](npm/cli@e5abf2a)
  [#3386](npm/cli#3386)
  chore(libnpmdiff): added as workspace
  ([@ruyadorno](https://github.com/ruyadorno))
* [`c6a8734d7`](npm/cli@c6a8734)
  [#3388](npm/cli#3388)
  chore(refactor): finish passing npm context
  ([@wraithgar](https://github.com/wraithgar))
* [`d16ee452a`](npm/cli@d16ee45)
  [#3426](npm/cli#3426)
  chore(tests): use path.resolve
  ([@wraithgar](https://github.com/wraithgar))

* [`6b951c042`](npm/cli@6b951c0)
  `libnpmversion@1.2.1`:
    * fix(retrieve-tag): pass match in a way git accepts
* [`de820a021`](npm/cli@de820a0)
  `npm-package-arg@8.1.5`:
  * fix: Make file: URLs (mostly) RFC 8909 compliant
* [`16a95c647`](npm/cli@16a95c6)
  `@npmcli/arborist@2.6.3`:
    * fix(inventory) handle old and british forms of 'license'
    * fix: removes [_complete] check to apply correct metadata
    * ensure node.fsParent is not set to node itself
    * fix extraneous deps on load-actual
* [`d341bd86c`](npm/cli@d341bd8)
  `make-fetch-happen@9.0.3`:
    * fix: implement cache modes correctly
* [`c90612cf5`](npm/cli@c90612c)
  `libnpmexec@2.0.0`:
    * use new npxCache option

* [`ef668ab57`](npm/cli@ef668ab)
  [#3368](npm/cli#3368)
  feat(diff): add workspace support
  ([@wraithgar](https://github.com/wraithgar))

* [`26d00c477`](npm/cli@26d00c4)
  [#3364](npm/cli#3364)
  fix(tests): mock writeFile in pack tests so we dont create 0 byte files in the repo
  ([@nlf](https://github.com/nlf))
* [`f130a81d6`](npm/cli@f130a81)
  [#3367](npm/cli#3367)
  fix(linting): add scripts, docs, smoke-tests
  ([@wraithgar](https://github.com/wraithgar))
* [`992799cd8`](npm/cli@992799c)
  [#3383](npm/cli#3383)
  fix(login): properly save scope if defined
  ([@wraithgar](https://github.com/wraithgar))

* [`844229519`](npm/cli@8442295)
  [#3392](npm/cli#3392)
  docs(workspaces): update using npm section
  Added examples of using `npm init` to bootstrap a new workspace and a
  section on how to add/manage dependencies to workspaces.
  ([@ruyadorno](https://github.com/ruyadorno))

* [`3654890fb`](npm/cli@3654890)
  remove ignored dep
  ([@nlf](https://github.com/nlf))
* [`a4a0e68a9`](npm/cli@a4a0e68)
  [#3362](npm/cli#3362)
  check less stuff into node_modules
  ([@isaacs](https://github.com/isaacs))
* [`7d5b049b6`](npm/cli@7d5b049)
  [#3365](npm/cli#3365)
  chore(package) Use a "files" list
  ([@isaacs](https://github.com/isaacs))

* [`e92b5f2ba`](npm/cli@e92b5f2)
  `npm-registry-fetch@11.0.0`
    * feat: improved logging of cache status

* [`e864bd3ce`](npm/cli@e864bd3)
  [#3345](npm/cli#3345)
  fix(update-notifier): do not update notify when installing npm@spec
  ([@isaacs](https://github.com/isaacs))
* [`aafe23572`](npm/cli@aafe235)
  [#3348](npm/cli#3348)
  fix(update-notifier): parallelize check for updates
  ([@isaacs](https://github.com/isaacs))

* [`bc9c57dda`](npm/cli@bc9c57d)
  [#3353](npm/cli#3353)
  fix(docs): remove documentation for '--scripts-prepend-node-path' as it was removed in npm@7
  ([@gimli01](https://github.com/gimli01))
* [`ca2822110`](npm/cli@ca28221)
  [#3360](npm/cli#3360)
  fix(docs): link foreground-scripts w/ loglevel
  ([@wraithgar](https://github.com/wraithgar))
* [`fb630b5a9`](npm/cli@fb630b5)
  [#3342](npm/cli#3342)
  chore(docs): manage docs as a workspace
  ([@ruyadorno](https://github.com/ruyadorno))

* [`54de5c6a4`](npm/cli@54de5c6)
  `npm-package-arg@8.1.4`:
    * fix: trim whitespace from fetchSpec
    * fix: handle file: when root directory begins with a special character
* [`e92b5f2ba`](npm/cli@e92b5f2)
  `make-fetch-happen@9.0.1`
    * breaking: complete refactor of caching. drops warning headers,
      prevents cache indexes from growing for every request, correctly
      handles varied requests to the same url, and now caches redirects.
    * fix: support url-encoded proxy authorization
    * fix: do not lazy-load proxy agents or agentkeepalive. fixes the
      intermittent failures to update npm on slower connections.
  `npm-registry-fetch@11.0.0`
    * breaking: drop handling of deprecated warning headers
    * docs: fix header type for npm-command
    * docs: update registry param
    * feat: improved logging of cache status
* [`23c50a45f`](npm/cli@23c50a4)
  `make-fetch-happen@9.0.2`:
    * fix: work around negotiator's lazy loading

* [`c4ef78b08`](npm/cli@c4ef78b)
  [#3344](npm/cli#3344)
  fix(automation): update incorrect variable name in create-cli-deps-pr workflow
  ([@gimli01](https://github.com/gimli01))

* [`598a17a26`](npm/cli@598a17a)
  [#3329](npm/cli#3329)
  fix(libnpmexec): don't detach output from npm
  ([@wraithgar](https://github.com/wraithgar))

* [`c4fc03e9e`](npm/cli@c4fc03e)
  `@npmcli/arborist@2.6.1`
    * fixes reifying deps with mismatching version ranges between
      actual and virtual trees
* [`9159fa62a`](npm/cli@9159fa6)
  `libnpmexec@1.2.0`

* [`399ff8cbc`](npm/cli@399ff8c)
  [#3312](npm/cli#3312)
  feat(link): add workspace support
  ([@isaacs](https://github.com/isaacs))

* [`46a9bcbcb`](npm/cli@46a9bcb)
  [#3282](npm/cli#3282)
  fix(docs): proper postinstall script file name
  ([@KevinFCormier](https://github.com/KevinFCormier))
* [`83590d40f`](npm/cli@83590d4)
  [#3272](npm/cli#3272)
  fix(ls): show relative paths from root
  ([@isaacs](https://github.com/isaacs))
* [`a574b518a`](npm/cli@a574b51)
  [#3304](npm/cli#3304)
  fix(completion): restore IFS even if `npm completion` returns error
  ([@NariyasuHeseri](https://github.com/NariyasuHeseri))
* [`554e8a5cd`](npm/cli@554e8a5)
  [#3311](npm/cli#3311)
  set audit exit code properly
  ([@isaacs](https://github.com/isaacs))
* [`4a4fbe33c`](npm/cli@4a4fbe3)
  [#3268](npm/cli#3268)
  [#3285](npm/cli#3285)
  fix(publish): skip private workspaces
  ([@ruyadorno](https://github.com/ruyadorno))

* [`3c53d631f`](npm/cli@3c53d63)
  [#3307](npm/cli#3307)
  fix(docs): typo in package-lock.json docs
  ([@rethab](https://github.com/rethab))
* [`96367f93f`](npm/cli@96367f9)
  rebuild npm-pack doc
  ([@isaacs](https://github.com/isaacs))
* [`64b13dd10`](npm/cli@64b13dd)
  [#3313](npm/cli#3313)
  Drop stale Python 3<->node-gyp remark
  ([@spencerwilson](https://github.com/spencerwilson))

* [`7b56bfdf3`](npm/cli@7b56bfd)
  `cacache@15.2.0`:
  * feat: allow fully deleting indices
  * feat: add a validateEntry option to compact
  * chore: lint
  * chore: use standard npm style release scripts
* [`dbbc151a3`](npm/cli@dbbc151)
  `npm-audit-report@2.1.5`:
  * fix(exit-code): account for null auditLevel default (#46)
* [`5b2604507`](npm/cli@5b26045)
  chore(package-lock): update devDependencies
  ([@gar](https://github.com/Gar))

* [`3d5df0082`](npm/cli@3d5df00)
  [#3294](npm/cli#3294)
  chore(ci): move node release PR workflow to cli repo
  ([@gimli01](https://github.com/gimli01))

* [`0d1a9d787`](npm/cli@0d1a9d7)
  [#3227](npm/cli#3227)
  feat(install): add workspaces support to npm install commands
  ([@isaacs](https://github.com/isaacs))
* [`c18626f04`](npm/cli@c18626f)
  [#3250](npm/cli#3250)
  feat(ls): add workspaces support
  ([@ruyadorno](https://github.com/ruyadorno))
* [`41099d395`](npm/cli@41099d3)
  [#3265](npm/cli#3265)
  feat(explain): add workspaces support
  ([@ruyadorno](https://github.com/ruyadorno))
* [`fde354669`](npm/cli@fde3546)
  [#3251](npm/cli#3251)
  feat(unpublish): add workspace/dry-run support
  ([@wraithgar](https://github.com/wraithgar))
* [`83df3666c`](npm/cli@83df366)
  [#3260](npm/cli#3260)
  feat(outdated): add workspaces support
  ([@ruyadorno](https://github.com/ruyadorno))
* [`63a7635f7`](npm/cli@63a7635)
  [#3217](npm/cli#3217)
  feat(pack): add support to json config/output
  ([@mrmlnc](https://github.com/mrmlnc))

* [`faa12ccc2`](npm/cli@faa12cc)
  [#3253](npm/cli#3253)
  fix search description typos
  ([@juanpicado](https://github.com/juanpicado))
* [`2f5c28a68`](npm/cli@2f5c28a)
  [#3243](npm/cli#3243)
  fix(docs): autogenerate config docs for commands
  ([@isaacs](https://github.com/isaacs))

* [`ec256a14a`](npm/cli@ec256a1)
  `@npmcli/arborist@2.6.0`
* [`5f15aba86`](npm/cli@5f15aba)
  `cacache@15.1.0`
* [`b3add87e6`](npm/cli@b3add87)
  [#3262](npm/cli#3262)
  `npm-registry-client@10.1.2`:
    * fixed sso login token

* [`076420c14`](npm/cli@076420c)
  [#3231](npm/cli#3231)
  feat(publish): add workspace support
  ([@wraithgar](https://github.com/wraithgar))
* [`370b36a36`](npm/cli@370b36a)
  [#3241](npm/cli#3241)
  feat(fund): add workspaces support
  ([@ruyadorno](https://github.com/ruyadorno))

* [`0c18e4f77`](npm/cli@0c18e4f)
  `@npmcli/arborist@2.5.0`
* [`b551c6811`](npm/cli@b551c68)
  `libnpmfund@1.1.0`

* [`de49f58f5`](npm/cli@de49f58)
  [#3216](npm/cli#3216)
  fix(contributing): link to proper cli repo
  ([@mrmlnc](https://github.com/mrmlnc))
* [`1d092144e`](npm/cli@1d09214)
  [#3203](npm/cli#3203)
  fix(packages): locale-agnostic string sorting
  ([@isaacs](https://github.com/isaacs))
* [`0696fca13`](npm/cli@0696fca)
  [#3209](npm/cli#3209)
  fix(view): fix non-registry specs
  ([@wraithgar](https://github.com/wraithgar))
* [`71ac93597`](npm/cli@71ac935)
  [#3206](npm/cli#3206)
  chore(github): Convert md issue template to yaml
  ([@lukehefson](https://github.com/lukehefson))
* [`6fb386d3b`](npm/cli@6fb386d)
  [#3201](npm/cli#3201)
  fix(tests): increase test fuzziness
  ([@wraithgar](https://github.com/wraithgar))
* [`f3a662fcd`](npm/cli@f3a662f)
  [#3211](npm/cli#3211)
  fix(tests): use config defaults
  ([@wraithgar](https://github.com/wraithgar))

* [`285976fd1`](npm/cli@285976f)
  `@npmcli/arborist@2.4.4`
  * fix(reify): properly save spec if prerelease
* [`f9f24d17c`](npm/cli@f9f24d1)
  `libnpmexec@1.1.1`
  * fix(add): Specify 'en' locale to String.localeCompare
* [`cb9f17499`](npm/cli@cb9f174)
  `glob@7.1.7`
  * force 'en' locale in string sorting
* [`24b4e4a41`](npm/cli@24b4e4a)
  `ignore-walk@3.0.4`
  * Avoid locale-specific sorting issues
* [`1eb7e5c7d`](npm/cli@1eb7e5c)
  `@npmcli/arborist@2.4.3`
  * guard against locale-specific sorting
* [`a6a826067`](npm/cli@a6a8260)
  `npm-packlist@2.2.2`:
  * fix(sort): avoid locale-dependent sorting issues

* [`701627c51`](npm/cli@701627c)
  [#3098](npm/cli#3098)
  feat(cache): Allow `add` to accept multiple specs
  ([@mjsir911](https://github.com/mjsir911))
* [`59171f030`](npm/cli@59171f0)
  [#3187](npm/cli#3187)
  feat(config): add workspaces boolean to user-agent
  ([@nlf](https://github.com/nlf))

* [`2c9b8713c`](npm/cli@2c9b871)
  [#3182](npm/cli#3182)
  fix(docs): fix broken links
  ([@wangsai](https://github.com/wangsai))
* [`88cbc8c44`](npm/cli@88cbc8c)
  [#3198](npm/cli#3198)
  fix(tests): reflect new libnpmexec logic

* [`d01ce5e13`](npm/cli@d01ce5e)
  `libnpmexec@1.1.0`:
    * feat: add walk up dir lookup to satisfy local bins
* [`81c1dfaaa`](npm/cli@81c1dfa)
  `@npmcli/arborist@2.4.2`:
    * fix(add): save packages in the right place
    * fix(reify): do not clean up nodes with no parent
    * fix(audit): support alias specs & root package names
* [`87c2303ea`](npm/cli@87c2303)
  `@npmcli/git@2.0.9`:
    * fix(clone): Do not allow git replacement objects by default
* [`99ff40dff`](npm/cli@99ff40d)
  `npm-packlist@2.2.0`:
    * feat(npmignore): Do not force include history, changelogs, notice
    * fix(package.json): add missing bin/index.js to files

* [`c371f183e`](npm/cli@c371f18)
  [#3137](npm/cli#3137)
  [#3140](npm/cli#3140)
  fix(ls): do not warn on missing optional deps
  ([@isaacs](https://github.com/isaacs))
* [`861f606c7`](npm/cli@861f606)
  [#3156](npm/cli#3156)
  fix(build): make prune rule work on case-sensitive file systems
  ([@lpinca](https://github.com/lpinca))

* [`fb79d89a0`](npm/cli@fb79d89)
  `tap@15.0.6`
* [`ce3820043`](npm/cli@ce38200)
  `@npmcli/arborist@2.4.1`
    * fix: prevent and eliminate unnecessary duplicates
    * fix: support resolvable partial intersecting peerSets

* [`e479f1dac`](npm/cli@e479f1d)
  [#3146](npm/cli#3146)
  mention `directories.bin` in `bin`
  ([@felipecrs](https://github.com/felipecrs))

* [`7925cca24`](npm/cli@7925cca)
  `pacote@11.3.3`:
  * fix(registry): normalize manfest
* [`b61eac693`](npm/cli@b61eac6)
  [#3130](npm/cli#3130)
  `@npmcli/config@2.2.0`
* [`c74e67fc6`](npm/cli@c74e67f)
  [#3130](npm/cli#3130)
  `npm-registry-fetch@10.1.1`

* [`efdd7dd44`](npm/cli@efdd7dd)
  Remove unused and incorrectly documented `--always-auth` config definition
  ([@isaacs](https://github.com/isaacs))

* [`4c1f16d2c`](npm/cli@4c1f16d)
  [#3095](npm/cli#3095)
  feat(init): add workspaces support
  ([@ruyadorno](https://github.com/ruyadorno))

* [`42ca59eee`](npm/cli@42ca59e)
  [#3086](npm/cli#3086)
  fix(ls): do not exit with error when all problems are extraneous deps
  ([@nlf](https://github.com/nlf))
* [`2aecec591`](npm/cli@2aecec5)
  [#2724](npm/cli#2724)
  [#3119](npm/cli#3119)
  fix(ls): make --long work when missing deps
  ([@ruyadorno](https://github.com/ruyadorno))
* [`42e0587a9`](npm/cli@42e0587)
  [#3115](npm/cli#3115)
  fix(pack): refuse to pack invalid packument
  ([@wraithgar](https://github.com/wraithgar))
* [`1c4eff7b5`](npm/cli@1c4eff7)
  [#3126](npm/cli#3126)
  fix(logout): use isBasicAuth attribute
  ([@wraithgar](https://github.com/wraithgar))

* [`c93f1c39e`](npm/cli@c93f1c3)
  [#3101](npm/cli#3101)
  chore(docs): update view docs
  ([@wraithgar](https://github.com/wraithgar))
* [`c4ff4bc11`](npm/cli@c4ff4bc)
  [npm/statusboard#313](npm/statusboard#313)
  [#3109](npm/cli#3109)
  fix(usage): fix refs to ws shorthand
  ([@ruyadorno](https://github.com/ruyadorno))

* [`83166ebcc`](npm/cli@83166eb)
  `npm-registry-fetch@10.1.0`
    * feat(auth): set isBasicAuth
* [`e02bda6da`](npm/cli@e02bda6)
  `npm-registry-fetch@10.0.0`
    * feat(auth) load/send based on URI, not registry
* [`a0382deba`](npm/cli@a0382de)
  `@npmcli/run-script@1.8.5`
    * fix: windows ComSpec env variable name
* [`7f82ef5a8`](npm/cli@7f82ef5)
  `pacote@11.3.2`
* [`35e49b94f`](npm/cli@35e49b9)
  `@npmcli/arborist@2.4.0`
* [`95faf8ce6`](npm/cli@95faf8c)
  `libnpmaccess@4.0.2`
* [`17fffc0e4`](npm/cli@17fffc0)
  `libnpmhook@6.0.2`
* [`1b5a213aa`](npm/cli@1b5a213)
  `libnpmorg@2.0.2`
* [`9f83e6484`](npm/cli@9f83e64)
  `libnpmpublish@4.0.1`
* [`251f788c5`](npm/cli@251f788)
  `libnpmsearch@3.1.1`
* [`35873a989`](npm/cli@35873a9)
  `libnpmteam@2.0.3`
* [`23e12b4d8`](npm/cli@23e12b4)
  `npm-profile@5.0.3`
@dependabot dependabot deleted a comment from genbushi Jan 30, 2023
@jeffwidman
Copy link
Member

A couple of fixes shipped recently that should resolve this... one just shipped a few days ago.

Also, please keep in mind this repo / issue tracker is now primarily about the code that creates PR's to bump versions--whether from cron or from security alerts--but not about the security alerts themselves, as they're now two separate teams and that team doesn't monitor this issue tracker (nor should they). Versus this issue is about the alerts themselves, not the resulting PRs.

So if you're still seeing problems, I suggest starting a discussion over in https://github.com/community/community/discussions/categories/code-security as that's probably the best way to reach the team that handles creating alerts. Feel free to drop a breadcrumb link on this issue to the discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants