Today I Learned
Updating for security vulnerabilities with yarn can be tricky.
For example, I got a Github warning that my version of
js-yaml needed to be updated.
js-yaml does not appear in my
It is one of my dependencies’ dependencies.
yarn update js-yaml@secure-version adds
js-yaml into my dependencies, which is not what I want to communicate to the team.
Trying to solve for this communication problem brought me to Yarn’s selective dependency resolutions. This seems to fit the exact bill of what I’m trying to achieve. Among the reason’s to use selective dependency resolution is listed:
A sub-dependency of your project got an important security update and you don’t want to wait for your direct-dependency to issue a minimum version update.
yarn.lock to update appropriately, without communicating to a future maintainer that this is actually a dependency of our app.
Works on my machine.