Home > front end >  Force resolution of only specific versions of a library?
Force resolution of only specific versions of a library?

Time:12-17

I have packages transitively referencing minimatch versions 3.0.4 and 5.0.1. Version 3.0.4 reportedly has a vulnerability. I would like to force the resolution of minimatch 3.0.4 to perhaps 3.0.6 or 3.0.7, but leave minimatch 5.0.1 as-is. So I would end up referencing 3.0.6 and 5.0.1.

Is there a way to achieve this via package.json with yarn (1.22)? I see you can do:

resolutions: {
  "minimatch": "3.0.6"
}

But this would redirect all versions of minimatch to 3.0.6, not just 3.0.4.

CodePudding user response:

Looks like this is possible with newer versions of yarn (https://yarnpkg.com/cli/set/resolution), however, I'm on yarn "classic" where such support was considered "too advanced".

While I could not specify what I wanted, I could find the exact dependency chain using 3.0.4 and specify that in resolutions. e.g.

"react-scripts/react-dev-utils/recursive-readdir/minimatch": "^3.0.5"

This solved the problem.

  • Related