You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The pnpm parser was updated (#335) to preserve multiple dependency paths when the same package@version appears via different parent chains. The Yarn parser has the same underlying problem — it currently collapses or approximates parent paths, meaning remediation output can only describe one path when a transitive package is reachable via multiple parents.
Impact: When a transitive vulnerability has multiple paths to it, the CLI may generate a fix command that only targets one parent. The output correctly marks these as path-specific, but users need all relevant paths to understand the full remediation scope.
Work to do:
Audit the Yarn lockfile parser (src/parsers/yarn*.ts) for cases where multiple paths to the same package@version are collapsed into one
The pnpm parser was updated (#335) to preserve multiple dependency paths when the same
package@versionappears via different parent chains. The Yarn parser has the same underlying problem — it currently collapses or approximates parent paths, meaning remediation output can only describe one path when a transitive package is reachable via multiple parents.Impact: When a transitive vulnerability has multiple paths to it, the CLI may generate a fix command that only targets one parent. The output correctly marks these as path-specific, but users need all relevant paths to understand the full remediation scope.
Work to do:
src/parsers/yarn*.ts) for cases where multiple paths to the samepackage@versionare collapsed into onenpm test && npm run buildKeep this separate from remediation wording changes — this is purely about path discovery accuracy.