[BUG] `--prod` flag includes `devDependencies` of workspace packages in module's `dependencies` list

[Llois41]

Describe the bug

When having a workspace package, importing it as a dependency leads cyclonedx-yarn to include their devDependency in the SBOM as well.

To Reproduce

https://github.com/Llois41/cyclondx-dev-dependency-reproduction/tree/master

Expected behavior

I would expect that in the created sbom.json file there will also only be production dependencies of the workspace's package.

Environment

• @cyclonedx/yarn-plugin-cyclonedx version: 2.0.0
• yarn version: 4.5.3
• Node version: 22.13.1
• OS: MacOS

Contribution

• I am willing to provide a fix
• I will wait until somebody else fixes it

[jkowalleck]

Thank you for the report.

And thank you for providing an environment where the situation may be reproduced.
I will try to craft a test env for this project, which will come in handy for regression-testing.

[jkowalleck]

@Llois41

in the provided setup for reproduction, i find some odd things in the lock file.

could you try to make the rerpoducible env univetrsal?
see for example https://github.com/Llois41/cyclondx-dev-dependency-reproduction/blob/9ffc1d6748d587276e2c7908821bfe0a90ec3e92/yarn.lock#L244-L249

some dependencies seam to be pulled from a non-public proxy:

$ yarn install
➤ YN0088: A new stable version of Yarn is available: 4.6.0!
➤ YN0088: Upgrade now by running yarn set version 4.6.0

➤ YN0000: · Yarn 4.5.3
➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0001: │ RequestError: getaddrinfo ENOTFOUND bahnhub.tech.rz.db.de
    at ClientRequest.<anonymous> (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:147:14258)
    at Object.onceWrapper (node:events:639:26)
    at ClientRequest.emit (node:events:536:35)
    at u.emit (/.../.cache/node/corepack/v1/yarn/4.5.3/yarn.js:142:14855)
    at emitErrorEvent (node:_http_client:104:11)
    at TLSSocket.socketErrorListener (node:_http_client:518:5)
    at TLSSocket.emit (node:events:524:28)
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
➤ YN0000: └ Completed in 14s 606ms
➤ YN0000: · Failed with errors in 14s 772ms

[Llois41]

Hi @jkowalleck

I fixed the settings in the reproduction git repo, you should (after fresh git pull) be able to run it locally yourself. May I ask you to delete your last comment, because of the internal company URL? :)

Thanks for having a look!

[jkowalleck]

it is still there: https://github.com/Llois41/cyclondx-dev-dependency-reproduction/blob/300481488a32697a2b27e3f648ee792fd6686432/.yarnrc.yml#L1
maybe you could fixup/squasch the repo to be just one commit. but then github still would keep the old (orphan) commit(git-node) somewhere.

Also, i do not see a reason for obscurity.
The internal resource is not reachable, and if it was, then you'd have much bigger problems - regardless whether the resource had a resolvable DNS entry .

so i think there is no need to worry about anything.
PS: even the official DB repos publish this resource:

• https://github.com/dbsystel/trivy-vulnerability-explorer/blob/c45d7dc44adf91190580a02ed119e71ffb82787d/renovate.json#L15
• https://github.com/DeutscheBahnAG/components/blob/35c9da4eda1b5753109de6d9a99abda7411134b1/deploy/helmfile.yaml#L4

[jkowalleck]

some brief research showed, that the workspace support was lacking features.
see #257

[Llois41]

yeah, I didn't clean up the history, but the new master should at least work :D And yeah, I also think, it is no issue.

@jkowalleck Alright, thanks for creating the collector issue. Can you give a rough estimation when you will have the capacity to work on the workspace support?

If others run into this issue as well: For now we workaround by installing only production dependencies and then use the "zero-install yarn dlx wrapper", but this makes versioning a little bit harder, since we have to add a separate renovate config rule instead of just having the dependency in our package.json ^^

[jkowalleck]

Can you give a rough estimation when you will have the capacity to work on the workspace support?

I might have some time in the next 6 months. can not promise anything.

Anyway, this tool is a community effort. Everybody is invited to contribute :-D
If you or your organization need a certain feature, feel free to donate/champion it.