DEV Community

Jen C.
Jen C.

Posted on

JavaScript package manager - How to upgrade a package and its indirect dependencies using Yarn 1.x

Resources

Trivy

How npm Works

Managing dependencies

yarn upgrade

yarn why

Selective dependency resolutions

How to update module subdependencies with yarn

Upgrade Yarn Package(s)

Backgournd

A HIGH severity vulnerability was found in the axios package during a security scan using Trivy, as shown below:

Image description

We ran yarn why axios to determine why axios is installed and which packages depend on it. The output revealed that axios is a dependency of Package A, which is listed under the dependencies section of the current project's package.json. This means axios is indirectly included via Package A.

To address the vulnerability in axios, we need to:

  1. Upgrade axios in Package A, since it directly includes the vulnerable version.

  2. Upgrade Package A in the current project to the version that includes the patched axios.

  3. Verify that both Package A and any direct use of axios in the project (if applicable) now rely on the secure, updated version.

This ensures the vulnerability is fully resolved throughout the dependency tree.

Step-by-step guide

In the project A

Upgrade axios in Project A, then release a new version of Project A that includes the updated axios.

In the current project

1. Upgrade to the latest version of Package A by running:

yarn upgrade A --latest
Enter fullscreen mode Exit fullscreen mode

2. Delete the /node_modules folder to ensure a clean install

3. Reinstall all dependencies by running:

yarn install
Enter fullscreen mode Exit fullscreen mode

4. Verify that both Package A and axios have been upgraded in the yarn.lock file

5. Run unit tests to ensure functionality is correct:

"scripts": {

    ...

    "test": "jest",

    ...
Enter fullscreen mode Exit fullscreen mode
yarn test
Enter fullscreen mode Exit fullscreen mode

6. Build the project to ensure there are no build-time errors:

In package.json

"scripts": {

    ...

    "build": "next build",

    ...
Enter fullscreen mode Exit fullscreen mode

Run the command

yarn build
Enter fullscreen mode Exit fullscreen mode

Make sure both commands complete successfully without any errors.

7. Run Trivy to see if the security issue has resolved

trivy fs .
Enter fullscreen mode Exit fullscreen mode

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.