A modern programming language that makes developers happier.

kotlinlang

Anyone know about this issue. It was about GitHub reporting vulnerabilities because of Yarn lock.

I'm upgrading my Gradle config and I cannot find this issue on YouTrack, maybe I'm looking at the wrong place?

<https://youtrack.jetbrains.com/issue/KT-50848/Kotlin-JS-inner-build-routines-are-using-vulnerable-NPM-dependencies-and-now-that-we-have-kotlin-js-store-github-audit-this>

Can't see the issue, the visibility is probably restricted.

Where did you find it? But yeah it happens if it's security-related.
No idea what it is about tho.

It was public once (a year ago I think). I added a workaround into my Gradle config based on this issue (which still works, I mean the workaround). Now I'm optimising my Gradle setup and wanted to update and/or remove the workaround.

It is not an actual vulnerability, it is about Github reporting a vulnerability.

```fun Project.skipYarnLock() {
    // this is ugly but I don't use JS dependencies anyway,
    // <https://youtrack.jetbrains.com/issue/KT-50848/Kotlin-JS-inner-build-routines-are-using-vulnerable-NPM-dependencies-and-now-that-we-have-kotlin-js-store-github-audit-this>
    rootProject.plugins.withType&lt;org.jetbrains.kotlin.gradle.targets.js.yarn.YarnPlugin&gt; {
        rootProject.the&lt;org.jetbrains.kotlin.gradle.targets.js.yarn.YarnRootExtension&gt;().lockFileName = "skip-yarn-lock"
    }
}```


Ahh ok, you simply rename the lockfile so it doesn't get picked up by GitHub.

And I typically add the issue in a comment, so that's how I had the URL.

Does GitHub still complain if you remove the workaround? I guess dependencies are now more up to date and probably have no vulnerabilities.

I don't know, but it is a good idea, I'll try that, thanks.

I found that <http://Archive.org|Archive.org> archived that URL in 2022 (tho not working), so definitely try removing the workaround as deps have changed.