Support large JSON reports about yarn-audit-html HOT 11 CLOSED

Ok. so my new approach worked (generate parse necessary info on the fly).
I will be able to change code in a way so that it will require static amount of ram and Node will not go crazy. Give me some time and I will push new version. ;)

p.s. low: 7368, moderate: 171, high: 9558, critical: 0 OMG :D

from yarn-audit-html.

Thanks for the quick fix. This works really well. I'm fine with the time it take to run. It works and that's the main thing.

I tested with Git Bash, Command Prompt and PowerShell. The first two worked fine, but PowerShell still failed with the same error as before. It's ok, though. I was just going through the options in Visual Studio Code, and I can always use the other two.

Thanks again!

from yarn-audit-html.

Hey @kenlyon ,

Thank for reaching out.
O wow, 15.9GB. ok. :/ hmmm :D

I personally haven't experienced this problem but I had big audit result which was resulting similar issue. I say similar because the solution might be the same.

I wonder if reading from file as a stream will help. As of audit JSON is JSONL type I think it will be possible to read and generate result on the fly instead of reading everything and then having it output.

I will also try to take a look at encoding problem. :/ Although I don't use Windows. So I will appreciate help very much with this one.

Is there a way so that you can share your audit file somehow?

from yarn-audit-html.

On a second glance. :/ this might be a different issue as of index.js#59 is in readable steam (as far as I understand). So having example file will help a lot to debug.

I suppose one of the easiest ways to pass me logs will be if I will generate logs with your package.json(only interesting parts are dependency related fields) and yarn.lock. So if you can(legally) pass me those files and your Node and yarn versions, that would be awesome.

from yarn-audit-html.

@davityavryan I have the file ready for you. (Zipped down to a much more manageable 477 MB. I'd prefer not to share it publicly, though. What would be the best way to send you the download link? I didn't see an email address or anything in your profile and I don't know if we can send a direct message here.

from yarn-audit-html.

Hey @kenlyon, you can try to join https://gitter.im/yarn-audit-html where you can write me personal message. ;)
Let me know if you have any problems.

from yarn-audit-html.

@davityavryan Yes it's fair to say I'm a bit overdue on the audit - hence the need for a convenient tool to show it as HTML. :) You can't leave these package lock files untouched for too long or the world leaves you behind.

from yarn-audit-html.

You can't leave these package lock files untouched for too long or the world leaves you behind.

Yeap, yeap. That's the reason I introduced this tool.
Personally I am upgrading devDependencies in my packages once a month and non-dev-dependencies once in two months (to just not introduce many breaking changes(some times you can miss any specific migration point, or do a mistake)).

I guess in your case (so far that I saw), solution will be to upgrade react-scripts package, but personally I am not using it for a long time. I use esbuild which is 100+ times faster. If you don't want to handle manual configuration though, you can use webpack + esbuild. Give a try with this example, this is my other package's documentation builder. I am sure you would appreciate the speed improvement.

I will try to fix the problem in this package for use-cases like this of course. it's just you still need to upgrade anyway.

from yarn-audit-html.

Also you can do

yarn upgrade-interactive which will show you "safe" to upgrade (minor or patch) versions of packages, which in theory will not introduce any breaking changes.
yarn upgrade-interactive --latest will show you with breaking changes. But I would do this one separately.

And if you will run yarn-deduplicate package after your upgrades, you will also eliminate all duplicated dependencies. (yarn does deduplication, but it is not 100% good one). This will also speed up install of packages and you will have less vulnerabilities and less packages to maintain.

Remember less packages --> less vulnerabilities ;)

p.s. I am working on a tool which is based on this one which can be used on PRs and show newly introduced vulnerabilities only.

from yarn-audit-html.

@kenlyon this is your audit file. sorry I am still working on fixing the issue. But this is the first result.
yarn-audit.html.zip

from yarn-audit-html.

Hey @kenlyon

Try new yarn-audit-html@^3.0.0 released version. I tried with your log and it is taking from 2 to 3 minutes to generate the report, but at least it is working :) (and for that huge audit log file, it is kind of ok IMO).

Changes included:
https://github.com/davityavryan/yarn-audit-html/releases/tag/v2.1.0
https://github.com/davityavryan/yarn-audit-html/releases/tag/v3.0.0

Let me know if you experience any issues (including PowerShell, I did not check in there, sorry).

If everything is ok, then close this issue and feel free to ☕, if you will. If it is not yet fixed, well ping me :)

from yarn-audit-html.