Update dependency higher-up the tree?

[christian-schwaderer]

This is rather a suggestion than an issue.

Today, yarn audit failed warning me about https://github.com/advisories/GHSA-78xj-cgh5-2h22 in mongodb>socks>ip

Running npx yarn-audit-fix ended in

Can't find satisfactory version for ip <0.0.0
Upgraded deps: <none>

However, there is actually a solution. Upgrading socks to version 2.7.3 because that package does not contain the vulnerable ip package anymore at all.

I don't know if such things would be too sophisticated, but if yarn-audit-fix could do such things automatically it would make it even better :)

[antongolub]

@ christian-schwaderer,

I'm afraid, npm advisory api does not provides this kind of suggestions right now. Well, technically we can pick the dependents, then brute force up the permissible range to find a versions w/o own direct vulnerable deps. But, just imagine, if the mentioned socks brought a new dep1 with dep2 with dep3, which if resolved at the current project, will bring back the vulnerable ip or smth else.

It's like a combinatorial explosion.