To address the vulnerability & potential security threat, our company has started using Nexus IQ. I have configured VS Code plugin to point to internal IQ Server datasource. With report getting generated we are asked to address the threat level that are in the range of 9 & 10 and any license violation. Current project has no license violation but report shows many items which are transitive dependencies and not directly installed. I am using Angular 10 with Material and Safe-pipe. I don't know how can i update transitive dependencies. Examples like lodash 4.17.10 has multiple occurrences & IQ is recommending to upgrade it to lodash 4.17.20. js-yaml 3.12.0 but recommends to use 3.13.1 on IQ.
As a Java developer it was quite doable to migrate to recommended version from Eclipse but in VS Code neither do i see any option to migrate nor do I have knowledge of how to modify transitive javascript libraries.
Thanks in advance & kindly advice on standard practice.
