yarn upgrade to fix yarn audit errors

The solution to this problem in yarn is called selective version resolutions which is basically defining resolutions for the transitive dependencies in the package.json.

The transitive dependencies are the dependencies of dependencies.

{
   "resolutions": { "**/**/lodash": "^4.17.12" }
}

So here even if the lodash isn't a direct dependency of your package, the dependent package in your package uses the version defined in the resolutions. Specific resolutions can also be provided. More info here.

While resolutions work, it is not the optimal solution, because:

• you clutter your package.json with resolutions of transitive dependencies
• you override the actually required version with what you think will work version. Assume A depends on B@^4.0.0 and you update B and resolve it to ^4.3.2. Some time later A gets an update and requires B@^5.0.0, but you still resolve B to ^4.3.2, which is not compatible anymore.

Here is another way to update transitive dependencies:

1. delete the version of the dependency you want to update from yarn.lock
2. run yarn install

This way you force yarn to resolve the dependency again and in most cases yarn will install a newer version of what you deleted from yarn.lock.

Example: let's assume that you want to update vulnerable minimist@0.0.8, then you need to delete an entry like this from your yarn.lock:

minimist@0.0.8:
  version "0.0.8"
  resolved "http://10.0.0.1/repository/npm-registry/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"
  integrity sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=

and then run yarn install.

If this doesn't help:

Try updating dependencies that are higher in the dependency chain:

1. Run yarn why <dependency> to find out which packages pull it
2. Go up the chain and try deleting the upper dependency in the chain from yarn.lock and then running yarn install

Example:

Here is an example, where we update a transitive dependency minimist:

$ yarn why minimist
.....
=> Found "mkdirp#minimist@0.0.8"
info This module exists because "eslint#mkdirp" depends on it.
=> Found "optimist#minimist@0.0.10"
info This module exists because "jest#jest-cli#@jest#core#@jest#reporters#istanbul-reports#handlebars#optimist" depends on it.
.....

1. Delete minimist entries from yarn.lock and run yarn install -> this doesn't help, presumably because mkdirp and optimist require exactly minimist@0.0.8 and minimist@0.0.10
2. Delete "direct parents" of minimist from yarn.lock: mkdirp and optimist.
3. Run yarn install.

4. Run yarn why minimist again:

   Click to copy

   $ yarn why minimist
   .....
   => Found "mkdirp#minimist@1.2.5"
   info This module exists because "eslint#mkdirp" depends on it.
   => Found "optimist#minimist@0.0.10"
   info This module exists because "jest#jest-cli#@jest#core#@jest#reporters#istanbul-reports#handlebars#optimist" depends on it.
   .....
   

   Here we see that minimist@0.0.8 was updated to minimist@1.2.5, but minimist@0.0.10 still exists.

5. Delete the next dependency in the dependency chain from yarn.lock: handlebars

6. Run yarn install
7. Run yarn why minimist - nothing changed, minimist@0.0.10 is still there.
8. Delete the next dependency in the chain from yarn.lock: istanbul-reports
9. Run yarn install
10. Run yarn why minimist: minimist@0.0.10 is not there anymore, because istanbul-reports was updated.