Vulnerability remediation using Yarn resolutions

[rarkins]

Assume that:

• There exists a vulnerability alert for a package thepackage within yarn.lock
• There exists a known fixed minimum version (e.g. 1.8.5)

Can we "resolve" this vulnerability in all cases by simply adding it as a resolutions entry?

And should it be written just like this?

  "resolutions": {
    "thepackage": ">= 1.8.5"
  }

Would the above achieve the following dual aims?

1. Immediately blocking the use of vulnerable < 1.8.5 versions even if some dependencies/sub-dependencies depend on versions in that range
2. Not stopping use of greater/newer versions later once dependencies catch up and exceed this version

@arcanis could you clarify if this is a good approach to vulnerability remediation of transitive Yarn.lock dependencies?

[BYK]

Hi! I can say "yes" to both :)

[rarkins]

Thanks. I guess then the downside of this approach is that potentially this new version (i.e. 1.8.5 in the example) is incompatible with one or more of the downstream packages depending on it in your dependency tree?

[arcanis]

Woops - didn't see that before 🤔

Yes, although there is a potential problem because it'll also force packages that are, for example, ^0.9 to jump to 1.8.5, and it allows Yarn to use 1.8.5 to resolve a range that would be ^2 - causing compatibility issues in both cases. So I'd advise against keeping those entries in the resolutions field for too long (ideally we should have a way to blacklist packages, which is something I think we will have in the 2.x branch, maybe 2.1).