patternjavascriptModerate
npm overrides and pnpm/Yarn resolutions: forcing a transitive dependency version
Viewed 0 times
npm 8.3+, Yarn 1+, pnpm 6+
npm overridesyarn resolutionspnpm overridesforce transitive dependencysecurity patch dep
Problem
A transitive dependency (a dependency of a dependency) has a known security vulnerability or breaking bug, but the direct dependency has not yet released a fix. The vulnerable version is locked in the tree.
Solution
Use package manager override mechanisms to force the vulnerable transitive dep to a safe version.
// npm (v8.3+) — package.json
{
"overrides": {
"semver": "^7.5.4",
"got": { "@octokit/endpoint": "^8.0.0" }
}
}
// pnpm — package.json
{
"pnpm": {
"overrides": { "semver": "^7.5.4" }
}
}
// Yarn (classic) — package.json
{
"resolutions": { "**/semver": "^7.5.4" }
}
// Yarn Berry — same 'resolutions' key
// npm (v8.3+) — package.json
{
"overrides": {
"semver": "^7.5.4",
"got": { "@octokit/endpoint": "^8.0.0" }
}
}
// pnpm — package.json
{
"pnpm": {
"overrides": { "semver": "^7.5.4" }
}
}
// Yarn (classic) — package.json
{
"resolutions": { "**/semver": "^7.5.4" }
}
// Yarn Berry — same 'resolutions' key
Why
Package managers respect overrides/resolutions during dependency graph resolution, replacing the requested version with the specified one. This is a pragmatic escape hatch while waiting for upstream maintainers to release a patched version.
Gotchas
- Overriding to an incompatible version can break the package that originally requested the old version
- Audit the override version's changelog to confirm it is API-compatible
- Remove the override once the direct dependency ships a fix to avoid stale overrides
- npm nested overrides ('got': { '@octokit/endpoint': '...' }) are more precise than flat overrides
Context
Fixing a security vulnerability in a transitive dependency without waiting for upstream
Revisions (0)
No revisions yet.