I have packages transitively referencing minimatch versions 3.0.4 and 5.0.1. Version 3.0.4 reportedly has a vulnerability. I would like to force the resolution of minimatch 3.0.4 to perhaps 3.0.6 or 3.0.7, but leave minimatch 5.0.1 as-is. So I would end up referencing 3.0.6 and 5.0.1.
Is there a way to achieve this via package.json with yarn (1.22)? I see you can do:
resolutions: {
"minimatch": "3.0.6"
}
But this would redirect all versions of minimatch to 3.0.6, not just 3.0.4.
CodePudding user response:
Looks like this is possible with newer versions of yarn (https://yarnpkg.com/cli/set/resolution), however, I'm on yarn "classic" where such support was considered "too advanced".
While I could not specify what I wanted, I could find the exact dependency chain using 3.0.4 and specify that in resolutions. e.g.
"react-scripts/react-dev-utils/recursive-readdir/minimatch": "^3.0.5"
This solved the problem.