1

I am using resolutions to resolve a vulnerability coming from a nested dependency (@dep/xyz). The nested dependency is using axios 0.21.1 whichhas a vulnerability. I am supposed to upgrade to any compatible version above it.

When I added it to resolutions like below I don't see the update in yarn.lock file for the nested dependency. Please advise.

Below is my package.json file

package.json

{
 "name" : "xyz",
 dependencies: {
     "@dep/xyz" : "2.3.4",
     "axios": "^0.21.2"
 },
 "resolutions": {
    "**/**/axios": "^0.21.2"
  }
}

yarn.lock which gets created after yarn install of above

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1

axios@^0.21.1, axios@^0.21.2:
  version "0.21.4"
  resolved "https:..."
  integrity sha1-123...=
  dependencies:
    follow-redirects "^1.14.0"

"@dep/xyz@2.3.4":
  version "2.3.4"
  resolved "https:..."
  integrity sha1-123...=
  dependencies:
    "@x/d1" "0.2.2"
    "@y/d2" "0.9.2"
    axios "^0.21.1"
nisha
  • 11
  • 1
  • 3

2 Answers2

2

You likely need to upgrade yarn. resolutions does not work with dependencies that have / in their name for yarn versions below 2. See https://github.com/yarnpkg/yarn/issues/4874

Jake Coker-Dukowitz
  • 21
  • 2
0

For starters, you don't need to do any resolution pinning. @dep/xyz@2.3.4 is pulling in axios with semver specification of "^0.21.1". In this context it will accept any version that is both >=0.21.1 and <0.22.0. You need only to use yarn to update the version of axios being resolved. I would advise AGAINST resolution pinning when you don't need to, because that can cause long-term incompatibility. If in the future axios has version >=0.22.0 that you or your dependencies are trying to consume, your resolution setting will force those down to be something within the range >=0.21.2 && <0.22.0.

More directly to your question - I don't see anything that looks wrong. The lockfile is doing exactly what I would expect. Your resolution of "axios@^0.21.2" is being respected, as it's pulling in 0.21.4 which abides by that (even though like I said a resolution is not necessary to achieve that). You haven't done any kind of resolution pinning associated with @dep/xyz (nor should you) so nothing is changed there.

phantomrose96
  • 1