Closed michalc closed 2 years ago
Hi @michalc ,
This may be a question of interest for the upstream repo/project: https://github.com/eclipse-theia/theia/issues
AFAIK, using resolutions
is indeed sometimes the only way to momentarily get rid of a specific, unwanted version of a transitive dependency. Then one hopes that the whole dependency chain will adapt, slowly expunging the vulnerable version of the package, so we can pick-up a better version by updating the 1st level dependency, that ends-up pulling the faulty package.
The yarn.lock
for your product, do you sometimes update it, so that you'll give yarn
the chance to look for compatible, later version of the packages currently in use? I think using yarn upgrade
is the way this is usually done. If you do not do that, it may be pinning older dependencies than what you'd otherwise have.
It's also possible that in some cases, some requested version or version ranges, in eclipse-theia itself, are too narrow and would need updating. In such a case, it's better to let us know so we can fix it, optionally you can submit a PR yourself.
This contribution has been automatically marked as stale due to inactivity, and it will be closed if no further activity occurs. Thank you for contributing to Theia!
In a Theia-based-project, is there a suggested process for bumping dependencies that have reported vulnerabilities?
In mine, GitHub tells me about vulnerabilities in
yarn.lock
file (or can do it manually by ayarn audit
). However, they're in transitive dependencies, and they seem to rarely allow bumping to a version that doesn't have the vulnerability. The only way I seem to be able to bump them is to force them usingresolutions
, and then hoping for the best.So far, my
resolutions
inpackage.json
looks like:I'm a bit nervous since it's forcing dependencies to use packages that they aren't specified to be compatible with.
Is there anything better that can be done?