From 75f33a6e30dcf09d849151a919987b0f5d5ed115 Mon Sep 17 00:00:00 2001 From: Ankur Sinha Date: Mon, 29 Jun 2026 11:15:41 +0530 Subject: [PATCH] fix: preserve yarn.lock during analysis and add npm ls evidence Signed-off-by: Ankur Sinha --- .cursor/skills/fix-cves/SKILL.md | 15 +++++++++++---- scripts/fix-cves/analyze-deps.ts | 10 +++++----- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.cursor/skills/fix-cves/SKILL.md b/.cursor/skills/fix-cves/SKILL.md index b1a6dc28..fc62214b 100644 --- a/.cursor/skills/fix-cves/SKILL.md +++ b/.cursor/skills/fix-cves/SKILL.md @@ -162,11 +162,11 @@ Before switching branches, verify the working tree is clean with `git status --p ```bash git checkout git pull upstream -rm -rf node_modules yarn.lock +rm -rf node_modules dist yarn install ``` -**Critical**: Always remove both `node_modules` and `yarn.lock` and reinstall to regenerate the dependency graph from scratch and avoid stale resolutions. +**Critical**: Keep `yarn.lock` during initial install — it ensures analysis runs against the exact versions deployed on this branch. Only remove `yarn.lock` after applying resolutions (see `resolution` strategy below). ### 2b. Analyze each CVE @@ -243,7 +243,7 @@ $ npm ls --all ``` -The evidence comes from the analyze-deps script output (`yarnWhyRaw` field). +The evidence comes from the analyze-deps script output (`yarnWhyRaw` and `npmLsRaw` fields). **If using paste mode (Mode A)**, print the comment to the user so they can manually post it on the Jira ticket. @@ -293,7 +293,12 @@ The package is transitive and no parent upgrade resolves it. Add or update the ``` Merge with existing resolutions (currently: `webpack`, `@types/d3-dispatch`, -`@types/d3-selection`). Then run `yarn install`. +`@types/d3-selection`). Then regenerate the lockfile: + +```bash +rm -rf node_modules yarn.lock +yarn install +``` **Resolutions are a last resort.** Only use when neither direct-upgrade nor parent-upgrade is possible. @@ -332,6 +337,8 @@ Please advise on next steps: - Use an alternative remediation approach ``` +The evidence comes from the analyze-deps script output (`yarnWhyRaw` and `npmLsRaw` fields). + **If using paste mode (Mode A)**, print the triage comment to the user so they can manually post it on the Jira ticket or forward it to the reporter. Mark this CVE as `triaged` in the tracking table and skip it. diff --git a/scripts/fix-cves/analyze-deps.ts b/scripts/fix-cves/analyze-deps.ts index e21d1dd0..7ff0c4ad 100644 --- a/scripts/fix-cves/analyze-deps.ts +++ b/scripts/fix-cves/analyze-deps.ts @@ -30,6 +30,7 @@ interface AnalysisResult { | 'triage-needed'; reason: string; yarnWhyRaw: string; + npmLsRaw: string; } interface CLIArgs { @@ -148,11 +149,7 @@ function getAllInstalledVersions(pkg: string): string[] { return [...versions]; } -function findVersions( - node: any, - pkg: string, - versions: Set, -): void { +function findVersions(node: any, pkg: string, versions: Set): void { if (!node || typeof node !== 'object') return; if (node.dependencies) { for (const [name, dep] of Object.entries(node.dependencies)) { @@ -264,6 +261,7 @@ function isVersionSatisfied(installed: string, required: string): boolean { function main(): void { const args = parseArgs(); const { raw: yarnWhyRaw, chains } = getYarnWhy(args.package); + const npmLsRaw = runCmd('npm', ['ls', '--all', args.package]).trimEnd(); const currentVersion = getCurrentVersion(args.package); // Full-tree check: verify ALL installed copies satisfy the fix, not just the @@ -291,6 +289,7 @@ function main(): void { strategy: 'already-remediated', reason: `All ${installedVersions.length} installed copy/copies satisfy >= ${args.fixedVersion}`, yarnWhyRaw, + npmLsRaw, }; console.log(JSON.stringify(result, null, 2)); return; @@ -345,6 +344,7 @@ function main(): void { strategy, reason, yarnWhyRaw, + npmLsRaw, }; console.log(JSON.stringify(result, null, 2));