-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support yarn berry in Analyzer #4894
Comments
Same issue here, running |
There is a task similar to this, #4215, but there is no solution implemented yet. It looks like, to resolve this we need to wait for a solution for the gradle plugin org.owasp.dependencycheck and till we have a solution we need to add the following setting to our build.gradle configuration : dependencyCheck { WARNING: This will disable yarn dependency check and if you are using yarn not for tests such as functional tests etc. your code may have vulnerabilities. There are some other dependency check plugins but they are not as good as this one. |
Hello, Any news on this ? |
Is your feature request related to a problem? Please describe.
Using
yarn berry
with workspaces doesn't work right now. Would be great to also support this updated version of yarn.Tried with the latest CLI version:
./dependency-check.sh --out . --scan ...
Repository to reproduce: https://github.com/Purii/yarn-monorepo-example
Result:
Describe the solution you'd like
There's already a comment in another thread: #4215 (comment)
These commands are not valid for latest versions of yarn anymore:
DependencyCheck/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java
Line 214 in aa73c25
Since yarn berry is very different to yarn classic, I suggest to treat it as a separate dependency manager instead of extending the existing yarn implementation.
The text was updated successfully, but these errors were encountered: