Reputation: 11
nested dependencies resolution for yarn not showing up in yarn.lockfile
I am using resolutions to resolve a vulnerability coming from a nested dependency (@dep/xyz). The nested dependency is using axios 0.21.1 whichhas a vulnerability. I am supposed to upgrade to any compatible version above it.
When I added it to resolutions like below I don't see the update in yarn.lock file for the nested dependency. Please advise.
Below is my package.json file
package.json
{
"name" : "xyz",
dependencies: {
"@dep/xyz" : "2.3.4",
"axios": "^0.21.2"
},
"resolutions": {
"**/**/axios": "^0.21.2"
}
}
yarn.lock which gets created after yarn install of above
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
axios@^0.21.1, axios@^0.21.2:
version "0.21.4"
resolved "https:..."
integrity sha1-123...=
dependencies:
follow-redirects "^1.14.0"
"@dep/[email protected]":
version "2.3.4"
resolved "https:..."
integrity sha1-123...=
dependencies:
"@x/d1" "0.2.2"
"@y/d2" "0.9.2"
axios "^0.21.1"
Upvotes: 1
Views: 4526
Answers (2)
Reputation: 31
You likely need to upgrade yarn. resolutions does not work with dependencies that have / in their name for yarn versions below 2. See https://github.com/yarnpkg/yarn/issues/4874
Upvotes: 3
Reputation: 1
For starters, you don't need to do any resolution pinning. @dep/[email protected] is pulling in axios with semver specification of "^0.21.1". In this context it will accept any version that is both >=0.21.1 and <0.22.0. You need only to use yarn to update the version of axios being resolved. I would advise AGAINST resolution pinning when you don't need to, because that can cause long-term incompatibility. If in the future axios has version >=0.22.0 that you or your dependencies are trying to consume, your resolution setting will force those down to be something within the range >=0.21.2 && <0.22.0.
More directly to your question - I don't see anything that looks wrong. The lockfile is doing exactly what I would expect. Your resolution of "axios@^0.21.2" is being respected, as it's pulling in 0.21.4 which abides by that (even though like I said a resolution is not necessary to achieve that). You haven't done any kind of resolution pinning associated with @dep/xyz (nor should you) so nothing is changed there.
Upvotes: 0
Related Questions
- How do I override nested dependencies with `yarn`?
- How to sync `yarn.lock` with `package.json`?
- how to fix yarn.lock and package-lock json mix
- sync yarn.lock back into package.json and lock
- Managing packages with Yarn
- Run `yarn remove <dependency_name>` to remove dependency, but yarn.lock still shows the removed dependency
- Package json dependencies don't match
- how to convert package-lock.json to yarn.lock?
- Why are packages in my yarn.lock but not in my package.json?
- NPM lockfiles do not handle transitive dependencies correctly