Since JavaScript ecosystem consists of many small packages, your JavaScript project likely depends on many of them. Especially if you're using a tool like Webpack.
Well, these dependencies have a security issue every once in a while, which makes your project vulnerable to that security issue.
Recently, Minimist had a security issue, so I had to update it to version 1.2.3 or later. My project does not depend directly on Minimist.
Unfortunately, this command didn't help:
yarn upgrade minimist
Nothing happened since this command only updates direct dependencies.
There are two ways to solve this problem.
Yarn supports the "resolutions" field
in package.json for specifying custom package
versions or ranges [1].
I had to add this to the package.json:
"resoultions": {
"minimist": "^1.2.3"
}
After specifying this, I had to remove the yarn.lock file and
run:
yarn install
This is another option, which doesn't require deleting entire lock file.
Go through the lock file and delete anything that depends on the problematic package (Minimist in my case). Delete entire blocks of text that mention your package. After you have done that, run:
yarn install
Both of these solutions will only work if the patch version of the problematic package is in the allowed range of it's dependants. Otherwise you will have to update the packages that depend on it too.