我正在使用解决方案来解决来自嵌套依赖项 (@dep/xyz) 的漏洞。嵌套依赖使用的是存在漏洞的 axios 0.21.1。我应该升级到它上面的任何兼容版本。
当我将它添加到如下分辨率时,我没有在 yarn.lock 文件中看到嵌套依赖项的更新。请指教。
下面是我的 package.json 文件
包.json
{
"name" : "xyz",
dependencies: {
"@dep/xyz" : "2.3.4",
"axios": "^0.21.2"
},
"resolutions": {
"**/**/axios": "^0.21.2"
}
}
yarn.lock 在上面的 yarn install 之后创建
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
axios@^0.21.1, axios@^0.21.2:
version "0.21.4"
resolved "https:..."
integrity sha1-123...=
dependencies:
follow-redirects "^1.14.0"
"@dep/xyz@2.3.4":
version "2.3.4"
resolved "https:..."
integrity sha1-123...=
dependencies:
"@x/d1" "0.2.2"
"@y/d2" "0.9.2"
axios "^0.21.1"