check-dependency-version-consistency
check-dependency-version-consistency copied to clipboard
Avoid propagating loose ranges from resolutions during autofix
In resolutions, it's more common to use >
or >=
ranges to ensure a dependency is above a particular (especially vulnerable) version.
Example:
package.json
:
{
"workspaces": ["*"],
"resolutions": {
"foo": ">= 5"
}
}
package1/package.json
:
{
"dependencies": {
"foo": "^4.0.0"
}
}
The autofix will currently change foo's version to >= 5
, which is likely unsafe/overly-aggressive.
Related: #348