Resources
Selective dependency resolutions
How to update module subdependencies with yarn
Backgournd
A HIGH severity vulnerability was found in the axios
package during a security scan using Trivy, as shown below:
We ran yarn why axios
to determine why axios
is installed and which packages depend on it. The output revealed that axios
is a dependency of Package A
, which is listed under the dependencies
section of the current project's package.json. This means axios
is indirectly included via Package A
.
To address the vulnerability in axios
, we need to:
Upgrade
axios
inPackage A
, since it directly includes the vulnerable version.Upgrade
Package A
in the current project to the version that includes the patchedaxios
.Verify that both
Package A
and any direct use ofaxios
in the project (if applicable) now rely on the secure, updated version.
This ensures the vulnerability is fully resolved throughout the dependency tree.
Step-by-step guide
In the project A
Upgrade axios
in Project A, then release a new version of Project A that includes the updated axios
.
In the current project
1. Upgrade to the latest version of Package A
by running:
yarn upgrade A --latest
2. Delete the /node_modules
folder to ensure a clean install
3. Reinstall all dependencies by running:
yarn install
4. Verify that both Package A
and axios
have been upgraded in the yarn.lock
file
5. Run unit tests to ensure functionality is correct:
"scripts": {
...
"test": "jest",
...
yarn test
6. Build the project to ensure there are no build-time errors:
In package.json
"scripts": {
...
"build": "next build",
...
Run the command
yarn build
Make sure both commands complete successfully without any errors.
7. Run Trivy to see if the security issue has resolved
trivy fs .
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.