Today I Learned

Updating for security vulnerabilities with yarn can be tricky. For example, I got a Github warning that my version of js-yaml needed to be updated. js-yaml does not appear in my package.json. It is one of my dependencies’ dependencies.

yarn update js-yaml@secure-version adds js-yaml into my dependencies, which is not what I want to communicate to the team.

Trying to solve for this communication problem brought me to Yarn’s selective dependency resolutions. This seems to fit the exact bill of what I’m trying to achieve. Among the reason’s to use selective dependency resolution is listed:

A sub-dependency of your project got an important security update and you don’t want to wait for your direct-dependency to issue a minimum version update.

Force yarn.lock to update appropriately, without communicating to a future maintainer that this is actually a dependency of our app. Works on my machine.