Merge branch 'master' into 1.12-stable

Author: Maël Nison

CHANGELOG.md

@@ -4,6 +4,44 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 
 ## 1.12.1
 
+**Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.
+
+- Fixes an issue with `yarn audit` when using workspaces
+
+  [#6625](https://github.com/yarnpkg/yarn/pull/6639) - [**Jeff Valore**](https://twitter.com/codingwithspike)
+
+- Uses `NODE_OPTIONS` to instruct Node to load the PnP hook, instead of raw CLI arguments
+
+  **Caveat:** This change might cause issues for PnP users having a space inside their cwd (cf [nodejs/node#24065](https://github.com/nodejs/node/pull/24065))
+
+  [#6479](https://github.com/yarnpkg/yarn/pull/6629) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Fixes Gulp when used with Plug'n'Play
+
+  [#6623](https://github.com/yarnpkg/yarn/pull/6623) - [**Maël Nison**](https://twitter.com/arcanis)
+
+- Fixes an issue with `yarn audit` when the root package was missing a name
+
+  [#6611](https://github.com/yarnpkg/yarn/pull/6611) - [**Jack Zhao**](https://github.com/bugzpodder)
+
+- Fixes an issue with `yarn audit` when a package was depending on an empty range
+
+  [#6611](https://github.com/yarnpkg/yarn/pull/6611) - [**Jack Zhao**](https://github.com/bugzpodder)
+
+- Fixes an issue with how symlinks are setup into the cache on Windows
+
+  [#6621](https://github.com/yarnpkg/yarn/pull/6621) - [**Yoad Snapir**](https://github.com/yoadsn)
+
+- Upgrades `inquirer`, fixing `upgrade-interactive` for users using both Node 10 and Windows
+
+  [#6635](https://github.com/yarnpkg/yarn/pull/6635) - [**Philipp Feigl**](https://github.com/pfeigl)
+
+- Exposes the path to the PnP file using `require.resolve('pnpapi')`
+
+  [#6643](https://github.com/yarnpkg/yarn/pull/6643) - [**Maël Nison**](https://twitter.com/arcanis)
+
+## 1.12.1
+
 - Ensures the engine check is ran before showing the UI for `upgrade-interactive`
 
   [#6536](https://github.com/yarnpkg/yarn/pull/6536) - [**Orta Therox**](https://github.com/orta)

__tests__/commands/audit.js

@@ -105,7 +105,7 @@ test('calls reporter auditAdvisory with correct data', () => {
   });
 });
 
-// *** Test temporarily removed due to inability to correctly puggest actions to the user.
+// *** Test temporarily removed due to inability to correctly suggest actions to the user.
 // test('calls reporter auditAction with correct data', () => {
 //   return runAudit([], {}, 'single-vulnerable-dep-installed', (config, reporter) => {
 //     const apiResponse = getAuditResponse(config);
@@ -123,3 +123,100 @@ test('calls reporter auditSummary with correct data', () => {
     expect(reporter.auditSummary).toBeCalledWith(apiResponse.metadata);
   });
 });
+
+test.concurrent('sends correct dependency map to audit api for private package.', () => {
+  const expectedApiPost = {
+    install: [],
+    remove: [],
+    metadata: {},
+    requires: {
+      'left-pad': '^1.3.0',
+    },
+    dependencies: {
+      'left-pad': {
+        version: '1.3.0',
+        integrity: 'sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==',
+        requires: {},
+        dependencies: {},
+      },
+    },
+  };
+
+  return runAudit([], {}, 'private-package', async config => {
+    const calledWithPipe = config.requestManager.request.mock.calls[0][0].body;
+    const calledWith = JSON.parse(await gunzip(calledWithPipe));
+    expect(calledWith).toEqual(expectedApiPost);
+  });
+});
+
+test('calls reporter auditAdvisory with correct data for private package', () => {
+  return runAudit([], {}, 'single-vulnerable-dep-installed', (config, reporter) => {
+    const apiResponse = getAuditResponse(config);
+    expect(reporter.auditAdvisory).toBeCalledWith(apiResponse.actions[0].resolves[0], apiResponse.advisories['118']);
+  });
+});
+
+test('calls reporter auditSummary with correct data for private package', () => {
+  return runAudit([], {}, 'single-vulnerable-dep-installed', (config, reporter) => {
+    const apiResponse = getAuditResponse(config);
+    expect(reporter.auditSummary).toBeCalledWith(apiResponse.metadata);
+  });
+});
+
+test.concurrent('sends correct dependency map to audit api for workspaces.', () => {
+  const expectedApiPost = {
+    dependencies: {
+      'balanced-match': {
+        dependencies: {},
+        integrity: 'sha1-ibTRmasr7kneFk6gK4nORi1xt2c=',
+        requires: {},
+        version: '1.0.0',
+      },
+      'brace-expansion': {
+        dependencies: {},
+        integrity: 'sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==',
+        requires: {
+          'balanced-match': '^1.0.0',
+          'concat-map': '0.0.1',
+        },
+        version: '1.1.11',
+      },
+      'concat-map': {
+        dependencies: {},
+        integrity: 'sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=',
+        requires: {},
+        version: '0.0.1',
+      },
+      minimatch: {
+        dependencies: {},
+        integrity: 'sha1-UjYVelHk8ATBd/s8Un/33Xjw74M=',
+        requires: {
+          'brace-expansion': '^1.0.0',
+        },
+        version: '3.0.0',
+      },
+      prj1: {
+        dependencies: {},
+        integrity: '',
+        requires: {
+          minimatch: '3.0.0',
+        },
+        version: '0.0.0',
+      },
+    },
+    install: [],
+    metadata: {},
+    name: 'yarn-test',
+    remove: [],
+    requires: {
+      prj1: '0.0.0',
+    },
+    version: '1.0.0',
+  };
+
+  return runAudit([], {}, 'workspace', async config => {
+    const calledWithPipe = config.requestManager.request.mock.calls[0][0].body;
+    const calledWith = JSON.parse(await gunzip(calledWithPipe));
+    expect(calledWith).toEqual(expectedApiPost);
+  });
+});

__tests__/commands/install/integration.js

@@ -48,6 +48,11 @@ async function mockConstants(base: Config, mocks: Object, cb: (config: Config) =
 beforeEach(request.__resetAuthedRequests);
 afterEach(request.__resetAuthedRequests);
 
+test('install should not copy the .bin folders from the cache', () =>
+  runInstall({}, 'install-no-bin', async config => {
+    expect(await fs.exists(`${config.cwd}/node_modules/is-pnp/.bin`)).toEqual(false);
+  }));
+
 test('install should not hoist packages above their peer dependencies', () =>
   runInstall({}, 'install-should-not-hoist-through-peer-deps', async config => {
     expect(await fs.exists(`${config.cwd}/node_modules/a/node_modules/c`)).toEqual(true);

__tests__/fixtures/audit/private-package/audit-api-response.json

@@ -0,0 +1,77 @@
+{
+  "actions": [
+    {
+      "action": "install",
+      "module": "minimatch",
+      "target": "3.0.4",
+      "isMajor": false,
+      "resolves": [
+        {
+          "id": 118,
+          "path": "minimatch",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ]
+    }
+  ],
+  "advisories": {
+    "118": {
+      "findings": [
+        {
+          "version": "3.0.0",
+          "paths": [
+            "minimatch"
+          ],
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ],
+      "id": 118,
+      "created": "2016-05-25T16:37:20.000Z",
+      "updated": "2018-03-01T21:58:01.072Z",
+      "deleted": null,
+      "title": "Regular Expression Denial of Service",
+      "found_by": {
+        "name": "Nick Starke"
+      },
+      "reported_by": {
+        "name": "Nick Starke"
+      },
+      "module_name": "minimatch",
+      "cves": [
+        "CVE-2016-10540"
+      ],
+      "vulnerable_versions": "<=3.0.1",
+      "patched_versions": ">=3.0.2",
+      "overview": "Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.\n\n\n## Proof of Concept\n```\nvar minimatch = require(“minimatch”);\n\n// utility function for generating long strings\nvar genstr = function (len, chr) {\n  var result = “”;\n  for (i=0; i<=len; i++) {\n    result = result + chr;\n  }\n  return result;\n}\n\nvar exploit = “[!” + genstr(1000000, “\\\\”) + “A”;\n\n// minimatch exploit.\nconsole.log(“starting minimatch”);\nminimatch(“foo”, exploit);\nconsole.log(“finishing minimatch”);\n```",
+      "recommendation": "Update to version 3.0.2 or later.",
+      "references": "",
+      "access": "public",
+      "severity": "high",
+      "cwe": "CWE-400",
+      "metadata": {
+        "module_type": "Multi.Library",
+        "exploitability": 4,
+        "affected_components": "Internal::Code::Function::minimatch({type:'args', key:0, vector:{type:'string'}})"
+      },
+      "url": "https://nodesecurity.io/advisories/118"
+    }
+  },
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 1,
+      "critical": 0
+    },
+    "dependencies": 5,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 5
+  }
+}

__tests__/fixtures/audit/private-package/package.json

@@ -0,0 +1,6 @@
+{
+  "private": true,
+  "dependencies": {
+    "left-pad": "^1.3.0"
+  }
+}

__tests__/fixtures/audit/private-package/yarn.lock

@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+left-pad@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.3.0.tgz#5b8a3a7765dfe001261dde915589e782f8c94d1e"
+  integrity sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==

__tests__/fixtures/audit/workspace/audit-api-response.json

@@ -0,0 +1,18 @@
+{
+  "actions": [],
+  "advisories": {},
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 0,
+      "critical": 0
+    },
+    "dependencies": 0,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 0
+  }
+}

__tests__/fixtures/audit/workspace/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "yarn-test",
+  "version": "1.0.0",
+  "main": "index.js",
+  "license": "MIT",
+  "private": true,
+  "workspaces": ["packages/*"]
+}

__tests__/fixtures/audit/workspace/packages/prj1/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "prj1",
+  "private": true,
+  "version": "0.0.0",
+  "dependencies": {
+    "minimatch": "3.0.0"
+  }
+}

__tests__/fixtures/audit/workspace/yarn.lock

@@ -0,0 +1,28 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+balanced-match@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"
+  integrity sha1-ibTRmasr7kneFk6gK4nORi1xt2c=
+
+brace-expansion@^1.0.0:
+  version "1.1.11"
+  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
+  integrity sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==
+  dependencies:
+    balanced-match "^1.0.0"
+    concat-map "0.0.1"
+
+[email protected]:
+  version "0.0.1"
+  resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
+  integrity sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=
+
+[email protected]:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.0.tgz#5236157a51e4f004c177fb3c527ff7dd78f0ef83"
+  integrity sha1-UjYVelHk8ATBd/s8Un/33Xjw74M=
+  dependencies:
+    brace-expansion "^1.0.0"

__tests__/fixtures/cache/corrupted/.yarn-cache/v3/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json renamed to __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json

@@ -0,0 +1,5 @@
+{
+    "dependencies": {
+        "is-pnp": "^1.0.2"
+    }
+}

__tests__/fixtures/cache/corrupted/.yarn-cache/v3/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep renamed to __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep

@@ -23,7 +23,7 @@
     "hash-for-dep": "^1.2.3",
     "imports-loader": "^0.8.0",
     "ini": "^1.3.4",
-    "inquirer": "^3.0.1",
+    "inquirer": "^6.2.0",
     "invariant": "^2.2.0",
     "is-builtin-module": "^2.0.0",
     "is-ci": "^1.0.10",