Search code examples
node.jsyarnpkgresolution

Resolve only one major version dependency to a specific version in yarn resolutions

We received a vulnerability in minimatch version <3.0.5. Now, my project uses minimatch v3 and v5 transitively. I want to force only the major version 3 minimatch to pull in patched version while keeping major version 5 pulls the same.

Anyone knows how to go about this? Thanks!

I have tried the following without luck

  "resolutions": {
    "minimatch": ">=3.0.5"
  }

  "resolutions": {
    "minimatch@3": ">=3.0.5"
  }

  "resolutions": {
    "minimatch@<3.0.4": "3.0.5"
    "minimatch@<5.0.4": "3.0.5"

  }
Solution

  • This, unfortunately, is somewhat like pulling teeth. First of all: Did you run yarn set resolutions minimatch ">=3.0.5" yet? Because while you may (or more likely may not) have luck with the package.json field, yarn only really respects its own resolutions, and does not consider there to be any equivalence between the two.

    A short rundown of what I mean by this: The resolutions field in package.json is used by the package resolver, not yarn. As in, it will only take effect in your bundler, etc. Yarn will blithely install whatever packages your dependencies ask for at the version asked for, and do nothing more, leaving the rest up to node/webpack/whichever system handles importing packages for you.

    Instead, yarn has a command to set resolutions within your yarn.lock file, which will change what version is installed. yarn set resolution <package> <version> will edit your yarn.lock so that the package is pointed to the version you request. However, this command is... a bit strange.

    So, to solve the problem at hand: What you will likely want to do is to try with just the package name at first, which may work. If you never want a minimatch below 3.0.5, then I would guess that the example at the top of my answer might work. But if not, you will need to try a specific version descriptor. Start with yarn why minimatch to see who depends on it, and at what version. Then you need to take the ones that install <3.0.5, and for each of those cases you should have a descriptor that looks something like minimatch@npm:~3.0.4 or similar. That's the descriptor you want. Use that descriptor in the yarn command:

    yarn set resolution "minimatch@npm:~3.0.4" 3.0.5

    Of course, this will set them to specifically v3.0.5, not any other. You can experiment with other version syntax, but I've not been able to get that to work. You'll know it works if your yarn.lock has changed, and the change fits what you told yarn.

    I really wish they'd do it differently, but they don't seem to want to.