Chiming here again since the nuance of yarn upgrade or npm upgrade wouldn't impact your nested dependencies. So for example, if nuxt brings in a vulnerable version of say debug module, doing a yarn upgrade will not upgrade debug. Only if nuxt is up to date with its package.json manifest to bring in a fixed version of debug, then upgrading nuxt will fix the issue.
Chiming here again since the nuance of
yarn upgradeornpm upgradewouldn't impact your nested dependencies. So for example, if nuxt brings in a vulnerable version of say debug module, doing a yarn upgrade will not upgrade debug. Only if nuxt is up to date with its package.json manifest to bring in a fixed version of debug, then upgrading nuxt will fix the issue.I wrote in the past a more elaborate post about making sense of package lockfiles if it helps: snyk.io/blog/making-sense-of-packa...