Jenkins Buildmaster Dependency-Track 对 Yarn 决议没有反应
Jenkins Buildmaster Dependency-Track does not react to Yarn Resolutions
我们正在使用 Jenkins Dependency-Track and it's reporting that we have vulnerable dependencies. Many of these are coming from deep sub-dependencies of our packages so we do not have the option of upgrading the packages directly. It seems like the correct solution here is to use Yarn resolutions 以全局固定易受攻击依赖项的更新版本。这样做正确地设置了我们 yarn.lock 中的版本号,但是漏洞报告保持不变。
有人知道问题出在哪里吗?我们正在使用 Yarn v2.
发生这种情况是因为我们的主项目有一个 sub-project 和它自己的 package.json 用于 QA 目的。在执行 yarn why <dep> 时未显示其依赖项,这给人以一切都已更新的错误印象。
我们正在使用 Jenkins Dependency-Track and it's reporting that we have vulnerable dependencies. Many of these are coming from deep sub-dependencies of our packages so we do not have the option of upgrading the packages directly. It seems like the correct solution here is to use Yarn resolutions 以全局固定易受攻击依赖项的更新版本。这样做正确地设置了我们 yarn.lock 中的版本号,但是漏洞报告保持不变。
有人知道问题出在哪里吗?我们正在使用 Yarn v2.
发生这种情况是因为我们的主项目有一个 sub-project 和它自己的 package.json 用于 QA 目的。在执行 yarn why <dep> 时未显示其依赖项,这给人以一切都已更新的错误印象。