Managing packages with Yarn
I need to update old dependencies because of security reasons in a project, that uses Yarn and I would like to know the best way to do this. I have used yarn add package-name@latest and yarn upgrade package-name@latest with the same result. The old version package definition remains. Is that acceptable? Since I have to update the old version for security, I think the old version should be removed. Is there a command that updates a package to a specific version and removes the old package definition?
The situation you are describing should only arise if you also have transitive dependencies that come from other dependencies.
So you may have another package that depends on acorn in a lower version.
If this is not the case I would try:
yarn upgrade package-name --latest
To update all packages to the latest versions, I recommend:
yarn upgrade-interactive --latest