check-dependency-version-consistency icon indicating copy to clipboard operation
check-dependency-version-consistency copied to clipboard

Published 20 hours ago verified publisher icon bmish

Avoid propagating loose ranges from resolutions during autofix

Open bmish opened this issue 2 years ago • 0 comments

In resolutions, it's more common to use > or >= ranges to ensure a dependency is above a particular (especially vulnerable) version.

Example:

package.json:

{
  "workspaces": ["*"],
  "resolutions": {
    "foo": ">= 5"
  }
}

package1/package.json:

{
  "dependencies": {
    "foo": "^4.0.0"
  }
}

The autofix will currently change foo's version to >= 5, which is likely unsafe/overly-aggressive.

Related: #348

bmish avatar Mar 27 '22 17:03 bmish