yarnpkg
diff --git a/‎.pnp.cjs‎
Lines changed: 994 additions & 960 deletions b/‎.pnp.cjs‎
Lines changed: 994 additions & 960 deletions
diff --git a/‎.yarn/cache/clipanion-npm-3.2.0-rc.10-b702c05bd9-d3b6454c9e.zip‎
-69.4 KB b/‎.yarn/cache/clipanion-npm-3.2.0-rc.10-b702c05bd9-d3b6454c9e.zip‎
-69.4 KB
diff --git a/‎.yarn/cache/clipanion-npm-3.2.1-fc9187f56c-6f757bde93.zip‎
70.5 KB b/‎.yarn/cache/clipanion-npm-3.2.1-fc9187f56c-6f757bde93.zip‎
70.5 KB
diff --git a/‎.yarn/cache/typanion-npm-3.12.1-788497c54f-492540c6ac.zip‎
26.9 KB b/‎.yarn/cache/typanion-npm-3.12.1-788497c54f-492540c6ac.zip‎
26.9 KB
diff --git a/‎.yarn/cache/typanion-npm-3.3.2-81374d30a8-e67391884a.zip‎
-13.7 KB b/‎.yarn/cache/typanion-npm-3.3.2-81374d30a8-e67391884a.zip‎
-13.7 KB
diff --git a/‎.yarn/versions/9161855d.yml‎
Lines changed: 35 additions & 0 deletions b/‎.yarn/versions/9161855d.yml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/acceptance-tests/pkg-tests-core/package.json‎
Lines changed: 2 additions & 0 deletions b/‎packages/acceptance-tests/pkg-tests-core/package.json‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎packages/acceptance-tests/pkg-tests-core/sources/utils/tests.ts‎
Lines changed: 82 additions & 0 deletions b/‎packages/acceptance-tests/pkg-tests-core/sources/utils/tests.ts‎
Lines changed: 82 additions & 0 deletions
@@ -0,0 +1,35 @@
+releases:
+  "@yarnpkg/builder": major
+  "@yarnpkg/cli": major
+  "@yarnpkg/core": major
+  "@yarnpkg/doctor": major
+  "@yarnpkg/plugin-constraints": major
+  "@yarnpkg/plugin-dlx": major
+  "@yarnpkg/plugin-essentials": major
+  "@yarnpkg/plugin-git": major
+  "@yarnpkg/plugin-init": major
+  "@yarnpkg/plugin-interactive-tools": major
+  "@yarnpkg/plugin-nm": major
+  "@yarnpkg/plugin-npm-cli": major
+  "@yarnpkg/plugin-pack": major
+  "@yarnpkg/plugin-patch": major
+  "@yarnpkg/plugin-pnp": major
+  "@yarnpkg/plugin-pnpm": major
+  "@yarnpkg/plugin-stage": major
+  "@yarnpkg/plugin-version": major
+  "@yarnpkg/plugin-workspace-tools": major
+  "@yarnpkg/pnpify": major
+  "@yarnpkg/sdks": major
+  "@yarnpkg/shell": major
+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-exec"
+  - "@yarnpkg/plugin-file"
+  - "@yarnpkg/plugin-github"
+  - "@yarnpkg/plugin-http"
+  - "@yarnpkg/plugin-link"
+  - "@yarnpkg/plugin-npm"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/extensions"
+  - "@yarnpkg/nm"
@@ -19,6 +19,7 @@ Yarn now accepts sponsorships! Please give a look at our [OpenCollective](https:
 - The network settings configuration option has been renamed from `caFilePath` to `httpsCaFilePath`.
 - `yarn workspaces foreach` now automatically enables the `-v,--verbose` flag in interactive terminal environments.
 - `yarn npm audit` no longer takes into account publish registries. Use [`npmAuditRegistry`](https://yarnpkg.com/configuration/yarnrc#npmAuditRegistry) instead.
+- `yarn npm audit` has been fully rewritten to use the newer `/-/npm/v1/security/advisories/bulk` endpoint. Make sure your registry supports it, and let them know you need it otherwise (in the meantime you can use `npmAuditRegistry` to send your audit queries to the npm registry).
 - The `--assume-fresh-project` flag of `yarn init` has been removed. Should only affect people initializing Yarn 4+ projects using a Yarn 2 binary.
 - `yarn init` no longer enables zero-installs by default.
 - Yarn will no longer remove the old Yarn 2.x `.pnp.js` file when migrating.
 
@@ -19,7 +19,7 @@
     "@yarnpkg/fslib": "workspace:^",
     "@yarnpkg/libzip": "workspace:^",
     "@yarnpkg/sdks": "workspace:^",
-    "clipanion": "^3.2.0-rc.10",
+    "clipanion": "^3.2.1",
     "esbuild-wasm": "0.17.5",
     "eslint": "^8.2.0",
     "jest": "^29.2.1",
 
@@ -18,6 +18,7 @@
     "@yarnpkg/core": "workspace:^",
     "@yarnpkg/fslib": "workspace:^",
     "@yarnpkg/parsers": "workspace:^",
+    "@yarnpkg/plugin-npm-cli": "workspace:^",
     "finalhandler": "^1.1.2",
     "invariant": "^2.2.4",
     "pem": "dexus/pem",
@@ -37,6 +38,7 @@
     "node": ">=14.15.0"
   },
   "dependencies": {
+    "typanion": "^3.12.1",
     "uuid": "^8.3.2"
   }
 }
@@ -1,4 +1,6 @@
+import {semverUtils}                                           from '@yarnpkg/core';
 import {PortablePath, npath, toFilename, xfs, ppath, Filename} from '@yarnpkg/fslib';
+import {npmAuditTypes}                                         from '@yarnpkg/plugin-npm-cli';
 import assert                                                  from 'assert';
 import crypto                                                  from 'crypto';
 import finalhandler                                            from 'finalhandler';
@@ -12,6 +14,7 @@ import pem                                                     from 'pem';
 import semver                                                  from 'semver';
 import serveStatic                                             from 'serve-static';
 import stream                                                  from 'stream';
+import * as t                                                  from 'typanion';
 import {promisify}                                             from 'util';
 import {v5 as uuidv5}                                          from 'uuid';
 import {Gzip}                                                  from 'zlib';
@@ -53,6 +56,7 @@ export enum RequestType {
   Whoami = `whoami`,
   Repository = `repository`,
   Publish = `publish`,
+  BulkAdvisories = `bulkAdvisories`,
 }
 
 export type Request = {
@@ -76,6 +80,8 @@ export type Request = {
   type: RequestType.Publish;
   scope?: string;
   localName: string;
+} | {
+  type: RequestType.BulkAdvisories;
 };
 
 export class Login {
@@ -108,6 +114,42 @@ export class Login {
   }
 }
 
+export const ADVISORIES = new Map<string, Array<npmAuditTypes.AuditMetadata>>([
+  [`vulnerable`, [{
+    id: 1,
+    url: `https://example.com/advisories/1`,
+    title: `Something is wrong`,
+    severity: npmAuditTypes.Severity.High,
+    vulnerable_versions: `<1.1.0`,
+  }]],
+  [`vulnerable-peer-deps`, [{
+    id: 2,
+    url: `https://example.com/advisories/2`,
+    title: `Something else is wrong`,
+    severity: npmAuditTypes.Severity.High,
+    vulnerable_versions: `<1.1.0`,
+  }]],
+  [`vulnerable-many`, [{
+    id: 3,
+    url: `https://example.com/advisories/3`,
+    title: `Something is wrong`,
+    severity: npmAuditTypes.Severity.High,
+    vulnerable_versions: `<1.1.0`,
+  }, {
+    id: 4,
+    url: `https://example.com/advisories/4`,
+    title: `Something is still wrong`,
+    severity: npmAuditTypes.Severity.High,
+    vulnerable_versions: `<1.1.0`,
+  }, {
+    id: 5,
+    url: `https://example.com/advisories/5`,
+    title: `Something is always wrong`,
+    severity: npmAuditTypes.Severity.High,
+    vulnerable_versions: `<1.1.0`,
+  }]],
+]);
+
 export const validLogins = {
   fooUser: new Login(`foo-user`),
   barUser: new Login(`bar-user`),
@@ -440,6 +482,7 @@ export const startPackageServer = ({type}: { type: keyof typeof packageServerUrl
     async [RequestType.Repository](parsedRequest, request, response) {
       staticServer(request as any, response as any, finalhandler(request, response));
     },
+
     async [RequestType.Publish](parsedRequest, request, response) {
       if (parsedRequest.type !== RequestType.Publish)
         throw new Error(`Assertion failed: Invalid request type`);
@@ -472,6 +515,41 @@ export const startPackageServer = ({type}: { type: keyof typeof packageServerUrl
         return response.end(rawData);
       });
     },
+
+    async [RequestType.BulkAdvisories](parsedRequest, request, response) {
+      if (parsedRequest.type !== RequestType.BulkAdvisories)
+        throw new Error(`Assertion failed: Invalid request type`);
+
+      let rawData = ``;
+
+      request.on(`data`, chunk => rawData += chunk);
+      request.on(`end`, () => {
+        let body;
+        try {
+          body = JSON.parse(rawData);
+        } catch (e) {
+          return processError(response, 401, `Invalid`);
+        }
+
+        t.assertWithErrors(body, t.isRecord(t.isArray(t.isString())));
+
+        const result = Object.create(null);
+        for (const [packageName, versions] of Object.entries(body)) {
+          const advisories = [];
+
+          for (const advisory of ADVISORIES.get(packageName) ?? [])
+            if (versions.some(version => semverUtils.satisfiesWithPrereleases(version, advisory.vulnerable_versions)))
+              advisories.push(advisory);
+
+          if (advisories.length > 0) {
+            result[packageName] = advisories;
+          }
+        }
+
+        response.writeHead(200, {[`Content-Type`]: `application/json`});
+        return response.end(JSON.stringify(result));
+      });
+    },
   };
 
   const sendError = (res: ServerResponse, statusCode: number, errorMessage: string): void => {
@@ -508,6 +586,10 @@ export const startPackageServer = ({type}: { type: keyof typeof packageServerUrl
         // Set later when login is parsed
         login: null as any,
       };
+    } else if (url === `/-/npm/v1/security/advisories/bulk`) {
+      return {
+        type: RequestType.BulkAdvisories,
+      };
     } else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)$/)) && method == `PUT`) {
       const [, scope, localName] = match;