← til

Updating indirect dependencies with Yarn

April 22, 2020

Since JavaScript ecosystem consists of many small packages, your JavaScript project likely depends on many of them. Especially if you're using a tool like Webpack.

Well, these dependencies have a security issue every once in a while, which makes your project vulnerable to that security issue.

Recently, Minimist had a security issue, so I had to update it to version 1.2.3 or later. My project does not depend directly on Minimist.

Unfortunately, this command didn't help:

yarn upgrade minimist

Nothing happened since this command only updates direct dependencies.

There are two ways to solve this problem.

1. Using resolutions

Yarn supports the "resolutions" field in package.json for specifying custom package versions or ranges [1].

I had to add this to the package.json:

"resoultions": {
  "minimist": "^1.2.3"

After specifying this, I had to remove the yarn.lock file and run:

yarn install

2. Deleting dependents from the lock file manually

This is another option, which doesn't require deleting entire lock file.

Go through the lock file and delete anything that depends on the problematic package (Minimist in my case). Delete entire blocks of text that mention your package. After you have done that, run:

yarn install

Both of these solutions will only work if the patch version of the problematic package is in the allowed range of it's dependants. Otherwise you will have to update the packages that depend on it too.

  1. For more info, refer to Yarn documentation.