yarn upgrade to fix yarn audit errors

Question

So, as of now, it appears that there is no yarn audit --fix, so I am trying to figure out how to go about fixing my yarn audit errors.

I have tried a yarn upgrade which has fixed some of the errors (which is great), but there are still several remaining.

I then tried a yarn add <package>@latest for the remaining high vulnerabilities, but it upgrades the version in my package.json, when I think the issue is coming from a dependency of a package that I am using.

Here is an example of some of my remaining errors:

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-stream > glob > minimatch             │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-stream > minimatch                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > glob >     │ │               │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high          │ Regular Expression Denial of Service                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ minimatch                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=3.0.2                                                      │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch  │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/118                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate      │ Prototype Pollution                                          │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package       │ lodash                                                       │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in    │ >=4.17.11                                                    │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp                                                         │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > lodash     │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info     │ https://nodesecurity.io/advisories/782                       │ └───────────────┴──────────────────────────────────────────────────────────────┘ 

Answer 1

The solution to this problem in yarn is called selective version resolutions which is basically defining resolutions for the transitive dependencies in the package.json.

The transitive dependencies are the dependencies of dependencies.

{    "resolutions": { "**/**/lodash": "^4.17.12" } } 

So here even if the lodash isn't a direct dependency of your package, the dependent package in your package uses the version defined in the resolutions. Specific resolutions can also be provided. More info here.

Answer 2

While resolutions work, it is not the optimal solution, because:

• you clutter your package.json with resolutions of transitive dependencies
• you override the actually required version with what you think will work version. Assume A depends on B@^4.0.0 and you update B and resolve it to ^4.3.2. Some time later A gets an update and requires B@^5.0.0, but you still resolve B to ^4.3.2, which is not compatible anymore.

Here is another way to update transitive dependencies:

1. delete the version of the dependency you want to update from yarn.lock
2. run yarn install

This way you force yarn to resolve the dependency again and in most cases yarn will install a newer version of what you deleted from yarn.lock.

Example: let's assume that you want to update vulnerable [email protected], then you need to delete an entry like this from your yarn.lock:

[email protected]:   version "0.0.8"   resolved "http://10.0.0.1/repository/npm-registry/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"   integrity sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0= 

and then run yarn install.

If this doesn't help:

Try updating dependencies that are higher in the dependency chain:

1. Run yarn why <dependency> to find out which packages pull it
2. Go up the chain and try deleting the upper dependency in the chain from yarn.lock and then running yarn install

Example:

Here is an example, where we update a transitive dependency minimist:

$ yarn why minimist ..... => Found "mkdirp#[email protected]" info This module exists because "eslint#mkdirp" depends on it. => Found "optimist#[email protected]" info This module exists because "jest#jest-cli#@jest#core#@jest#reporters#istanbul-reports#handlebars#optimist" depends on it. ..... 

1. Delete minimist entries from yarn.lock and run yarn install -> this doesn't help, presumably because mkdirp and optimist require exactly [email protected] and [email protected]
2. Delete "direct parents" of minimist from yarn.lock: mkdirp and optimist.
3. Run yarn install.

4. Run yarn why minimist again:

   $ yarn why minimist ..... => Found "mkdirp#[email protected]" info This module exists because "eslint#mkdirp" depends on it. => Found "optimist#[email protected]" info This module exists because "jest#jest-cli#@jest#core#@jest#reporters#istanbul-reports#handlebars#optimist" depends on it. ..... 

   Here we see that [email protected] was updated to [email protected], but [email protected] still exists.

5. Delete the next dependency in the dependency chain from yarn.lock: handlebars

6. Run yarn install
7. Run yarn why minimist - nothing changed, [email protected] is still there.
8. Delete the next dependency in the chain from yarn.lock: istanbul-reports
9. Run yarn install
10. Run yarn why minimist: [email protected] is not there anymore, because istanbul-reports was updated.