My application has a vulnerability with a package that has multiple versions ongoing (1.x, 2.x, 3.x). There are a lot of packages I use that use the latter one as a dependency, so updating one by one is not feasible right now. I would use yarn resolutions, but some have the package as dependency with version 1.x and others have 2.x. If I force a 2.x resolution, this would probably break the ones using 1.x
Is there any way to make yarn resolutions support one with multiple versions? Something like:
"resolutions": {
"foo": "~1.0.5 || ~2.0.5",
}
Otherwise, what options do I have?
You can do specify the verion/range for each transitive dependency by adding multiple versions in resolutions using the following syntax:
"resolutions": {
"foo@1.0.0": "1.0.5",
"foo@2.0.0": "2.0.5",
"foo@^3.0.0": "3.1.0",
}
This way you can make sure each of your dependency uses the specific version you want.
Note: This approach also works for NPM overrides as well
You can read more about the
Yarn resolutions here - https://yarnpkg.com/configuration/manifest#resolutions
NPM overrides here - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
Hope this helps!