Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn global install & exec in yarn temp env (dlx) fail; local install OK #88

Closed
pgnd opened this issue Mar 30, 2023 · 8 comments
Closed

yarn global install & exec in yarn temp env (dlx) fail; local install OK #88

pgnd opened this issue Mar 30, 2023 · 8 comments
Assignees
@gabidobo
Labels
bug Something isn't working stale

Comments

@pgnd
Copy link

pgnd commented Mar 30, 2023

local install into project appears to work

lsb_release -rd
	Description:    Fedora release 37 (Thirty Seven)
	Release:        37

yarn -v
	3.5.0
node -v
	v18.15.0
npm -v
	9.5.0
npx -v
	9.5.0

yarn global add @sandworm/audit
	Usage Error: The 'yarn global' commands have been removed in 2.x - consider using 'yarn dlx' or a third-party plugin instead
	$ yarn run [--inspect] [--inspect-brk] [-T,--top-level] [-B,--binaries-only] <scriptName> ...

yarn dlx @sandworm/audit@latest
	➤ YN0000: ┌ Resolution step
	➤ YN0061: │ w3c-hr-time@npm:1.0.2 is deprecated: Use your platform's native performance.now() and performance.timeOrigin.
	➤ YN0000: └ Completed in 3s 595ms
	➤ YN0000: ┌ Fetch step
	➤ YN0000: └ Completed
	➤ YN0000: ┌ Link step
	➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
	➤ YN0000: └ Completed
	➤ YN0000: Done with warnings in 3s 806ms

	Internal Error: Binary not found (audit) for root-workspace-0b6124@workspace:.
	    at h7 (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:423:1806)
	    at Object.mRe (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:423:2322)
	    at /var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:601:297
	    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
	    at async $t.mktempPromise (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:314:69429)
	    at async Lu.execute (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:597:62990)
	    at async Lu.validateAndExecute (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:345:664)
	    at async Un.run (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:359:2057)
	    at async Un.runExit (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:359:2241)
	    at async i (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:446:12054)

yarn add @sandworm/audit@latest
	➤ YN0000: ┌ Resolution step
	➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
	➤ YN0000: └ Completed in 3s 567ms
	➤ YN0000: ┌ Fetch step
	➤ YN0013: │ write-file-atomic@npm:4.0.2 can't be found in the cache and will be fetched from the remote regis
	➤ YN0013: │ xml-name-validator@npm:3.0.0 can't be found in the cache and will be fetched from the remote regi
	➤ YN0013: │ xmlchars@npm:2.2.0 can't be found in the cache and will be fetched from the remote registry
	➤ YN0013: │ yargs-parser@npm:21.1.1 can't be found in the cache and will be fetched from the remote registry
	➤ YN0013: │ yargs@npm:17.6.0 can't be found in the cache and will be fetched from the remote registry
	➤ YN0000: └ Completed in 0s 430ms
	➤ YN0000: ┌ Link step
	➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
	➤ YN0008: │ sharp@npm:0.32.0 must be rebuilt because its dependency tree changed
	➤ YN0000: └ Completed in 0s 744ms
	➤ YN0000: Done with warnings in 4s 886ms

yarn info --name-only @sandworm/audit
	└─ @sandworm/audit@npm:1.35.0

yarn sandworm -d --sv
	Sandworm 🪱Security and License Compliance Audit
	√ Built dependency graph
	//
	// 💡 Save issue resolution info to your repo
	//    resolved-issues.json
	//    https://docs.sandworm.dev/audit/resolving-issues
	//
	√ Got vulnerabilities
	√ Scanned licenses
	√ Scanned issues
	√ Tree chart done
	√ Treemap chart done
	√ CSV done
	√ Report written to disk

	⚠ Identified 2 high severity, 1 low severity issues
	🟠 caniuse-lite@1.0.30001431 Atypical license SWRM-104-caniuse-lite-1.0.30001431
	🟠 esbuild@0.15.14 Uses postinstall script SWRM-201-esbuild-0.15.14-postinstall
	⚪ caniuse-lite@1.0.30001431 License not OSI approved SWRM-102-caniuse-lite-1.0.30001431

	✨ Done
@pgnd pgnd added the bug Something isn't working label Mar 30, 2023
@gabidobo
Copy link
Member

Thank you for submitting this, @pgnd! Looking into it now.

@gabidobo
Copy link
Member

It turns out the proper command to use is:

yarn dlx -p @sandworm/audit sandworm

See yarnpkg/berry#2013.

@pgnd if you can, please let me know if the command above works for you. Thanks!

@pgnd
Copy link
Author

pgnd commented May 9, 2023

@gabidobo

sorry, i missed gh notification of your ping :-/

please let me know if the command above works for you

it no longer fails immediately, does progress, but fails "Done, but with errors:"

and it's seemingly slow ... 6+ minutes; i've no sense yet what's typical

e.g.,

time yarn dlx -p @sandworm/audit sandworm
➤ YN0000: ┌ Resolution step
➤ YN0061: │ w3c-hr-time@npm:1.0.2 is deprecated: Use your platform's native performance.now() and performance.timeOrigin.
➤ YN0000: └ Completed in 56s 262ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
➤ YN0000: └ Completed in 0s 409ms
➤ YN0000: Done with warnings in 56s 872ms

Sandworm 🪱Security and License Compliance Audit
√ Built dependency graph
√ Got vulnerabilities
√ Scanned licenses
√ Scanned issues
√ Tree chart done
√ Treemap chart done
√ CSV done
√ Report written to disk

⚠ Identified 10 high severity, 1 low severity issues
🟠 @fortawesome/free-brands-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-brands-svg-icons-6.4.0
🟠 @fortawesome/free-regular-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-regular-svg-icons-6.4.0
🟠 @fortawesome/free-solid-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-solid-svg-icons-6.4.0
🟠 caniuse-lite@1.0.30001481 Atypical license SWRM-104-caniuse-lite-1.0.30001481
🟠 @fortawesome/fontawesome-common-types@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-common-types-6.4.0-postinstall
🟠 @fortawesome/fontawesome-svg-core@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-svg-core-6.4.0-postinstall
🟠 @fortawesome/free-brands-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-brands-svg-icons-6.4.0-postinstall
🟠 @fortawesome/free-regular-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-regular-svg-icons-6.4.0-postinstall
🟠 @fortawesome/free-solid-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-solid-svg-icons-6.4.0-postinstall
🟠 w3c-hr-time@1.0.2 Deprecated package SWRM-200-w3c-hr-time-1.0.2
⚪ caniuse-lite@1.0.30001481 License not OSI approved SWRM-102-caniuse-lite-1.0.30001481

✨ Done, but with errors:
❌ SyntaxError: Unexpected token ➤ in JSON at position 0
❌ Failing because of errors

real    6m11.929s
user    0m12.243s
sys     0m1.298s

@gabidobo
Copy link
Member

Ok, this seems to be an error with retrieving vulnerabilities from the package manager.

I just released v1.40.0 with better console messaging around these errors, could you please give it a try? It should clarify what the underlying issue is.

@pgnd
Copy link
Author

pgnd commented May 21, 2023

@gabidobo

time yarn dlx -p @sandworm/audit sandworm
	➤ YN0000: ┌ Resolution step
	➤ YN0061: │ w3c-hr-time@npm:1.0.2 is deprecated: Use your platform's native performance.now() and performance.timeOrigin.
	➤ YN0000: └ Completed in 58s 827ms
	➤ YN0000: ┌ Fetch step
	➤ YN0013: │ ini@npm:4.1.1 can't be found in the cache and will be fetched from the remote registry
	➤ YN0013: │ semver@npm:7.5.1 can't be found in the cache and will be fetched from the remote registry
	➤ YN0013: │ signal-exit@npm:4.0.2 can't be found in the cache and will be fetched from the remote registry
	➤ YN0013: │ tslib@npm:2.5.2 can't be found in the cache and will be fetched from the remote registry
	➤ YN0000: └ Completed in 0s 521ms
	➤ YN0000: ┌ Link step
	➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
	➤ YN0000: └ Completed in 0s 401ms
	➤ YN0000: Done with warnings in 59s 807ms

	Sandworm 🪱Security and License Compliance Audit
	√ Built dependency graph
	√ Got vulnerabilities
	√ Scanned licenses
	√ Scanned issues
	√ Tree chart done
	√ Treemap chart done
	√ CSV done
	√ Report written to disk

	⚠ Identified 10 high severity, 1 low severity issues
	🟠 @fortawesome/free-brands-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-brands-svg-icons-6.4.0
	🟠 @fortawesome/free-regular-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-regular-svg-icons-6.4.0
	🟠 @fortawesome/free-solid-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-solid-svg-icons-6.4.0
	🟠 caniuse-lite@1.0.30001481 Atypical license SWRM-104-caniuse-lite-1.0.30001481
	🟠 @fortawesome/fontawesome-common-types@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-common-types-6.4.0-postinstall
	🟠 @fortawesome/fontawesome-svg-core@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-svg-core-6.4.0-postinstall
	🟠 @fortawesome/free-brands-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-brands-svg-icons-6.4.0-postinstall
	🟠 @fortawesome/free-regular-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-regular-svg-icons-6.4.0-postinstall
	🟠 @fortawesome/free-solid-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-solid-svg-icons-6.4.0-postinstall
	🟠 w3c-hr-time@1.0.2 Deprecated package SWRM-200-w3c-hr-time-1.0.2
	⚪ caniuse-lite@1.0.30001481 License not OSI approved SWRM-102-caniuse-lite-1.0.30001481

	✨ Done, but with errors:
	❌ Error: Error getting vulnerability report from yarn: Unexpected token ➤ in JSON at position 0 => ➤ YN0035: Bad Request
	➤ YN0035:   Response Code: 400 (Bad Request)
	➤ YN0035:   Request Method: POST
	➤ YN0035:   Request URL: https://registry.yarnpkg.com/-/npm/v1/security/audits/quick

	➤ Errors happened when preparing the environment required to run this command.
	➤ This might be caused by packages being missing from the lockfile, in which case running "yarn install" might help.

	    at getDependencyVulnerabilities (/var/lib/wwwrun/.yarn/berry/cache/@sandworm-audit-npm-1.42.0-fab3def249-8.zip/node_modules/@sandworm/audit/src/issues/vulnerabilities.js:149:11)
	    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
	    at async getReport (/var/lib/wwwrun/.yarn/berry/cache/@sandworm-audit-npm-1.42.0-fab3def249-8.zip/node_modules/@sandworm/audit/src/index.js:68:33)
	    at async exports.handler (/var/lib/wwwrun/.yarn/berry/cache/@sandworm-audit-npm-1.42.0-fab3def249-8.zip/node_modules/@sandworm/audit/src/cli/cmds/audit.js:248:9)
	❌ Failing because of errors

	real    5m59.922s
	user    0m12.831s
	sys     0m1.433s

@gabidobo
Copy link
Member

@pgnd this seems to be an underlying issue with Yarn audit: yarnpkg/berry#4117

Can you please try to run yarn audit and see if the error replicates? If it does, maybe leave a comment on the issue above, so the Yarn team prioritizes a fix.

@github-actions
Copy link

This issue is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale label Jun 26, 2023
@github-actions
Copy link

This issue was closed because it has been inactive for 14 days since being marked as stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gabidobo gabidobo

Labels
bug Something isn't working stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gabidobo @pgnd