You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We install the dependency cross-spawn as one of the dependencies of jest in version 7.0.6, however it seems the javascript cataloger can't parse our yarn.lock file, as it lists cross-spawn 7.0.3 which has a security issue and results in grype errors.
Thanks @robertkowalski for the excellent repro steps! That makes investigating these things so much easier.
I just tested on latest Syft, and I agree with what you're seeing (actually, we seem to find cross-spawn 7.0.3 and 7.0.6, which also doesn't seem right).
I've marked this as ready. Anyone is welcome to pick it up and work on it.
I'd love to take this one on if no one has started yet!
My initial impression is that it seems the parsing of the yarn.lock file is taking the requested caret range (i.e. cross-spawn@^7.0.3) as the used version whereas the used version should come from the sub field labelled version (i.e. 7.0.6).
What happened:
We install the dependency
cross-spawn
as one of the dependencies of jest in version7.0.6
, however it seems the javascript cataloger can't parse our yarn.lock file, as it lists cross-spawn7.0.3
which has a security issue and results in grype errors.What you expected to happen:
yarn.lock is properly parsed. see our lockfile entry: https://github.com/robertkowalski/syft-minimal-example/blob/58974e0e983ec6a628770d1229a2c328d11c9394/yarn.lock#L859-L866
Steps to reproduce the issue:
Anything else we need to know?:
Environment:
syft version
:cat /etc/os-release
or similar): OSX Sonoma 14.7The text was updated successfully, but these errors were encountered: