We have enabled depedebot alert on our repository. But depedebot is not opening new PR for some of vulnebrites. For example :
Below is one of alert I see ` The latest possible version that can be installed is 2.4.2 because of the following conflicting dependencies:
zip-folder@1.0.0 requires lodash@~2.4.1 via archiver@0.11.0 zip-folder@1.0.0 requires lodash@~2.4.1 via a transitive dependency on zip-stream@0.4.1 The earliest fixed version is 4.17.21. `
But Zip-folder is not updated on npm repo so far as fix on lodash was relased 9 year ago i.e;v 1.1.1 but loadash latest version 4.17.21 and it's using v 1.1.0
As zip depedency is transitive should I update v1.1.1 in my package.json manually. Will it override the vesion used by zip or there is some alternative of this approach?
