should we scan yarn.lock files inside node_modules for CVEs?

#yarnlock #nodemodules #javascript #webdev

AIM: we are trying to fix CVEs reported in an angular project (scanned using trivy scanner).

Problem: None of the packages mentioned as vulnerable(as per trivy report) are direct dependent packages (not present in package.json) and is already used as their latest version not able to fix these issues.

so, should we really scan yarn.lock files for CVEs (all the issues reported are from yarn.lock file).

PS: if there are any alternatives to fix CVEs (for 2nd-degree dependent packages), suggestions would be helpful

. tried updating the package mentioned, but most of them are already in their latest versions

Any suggestions for fix would be helpful

Top comments (0)

You're not a software engineer; you're a "frameworker"

Muneeb Hussain - May 1

Leveraging Next.js and Firebase to Fetch Upcoming Events: A Deep Dive

Antoine - Apr 28

Why Magento is the #1 Choice of eCommerce Startups?

Hire Laravel Developers - Apr 19

Animating Numbers

Mads Stoumann - May 3

DEV Community