Developers trying to upgrade / remove vulnerable dependencies from their applications may find themselves needing to update a transitive dependency, or a dependency that is not directly mentioned in their application’s manifest file. Here is a quick primer on updating transitive dependencies across some of Tidelift’s supported platforms.
Scenario
Imagine your project relies on astral_adapter:1.0.0 which has the following dependency chain and release requirements, and you want to upgrade the transitive dependency bionic_builder to version 2.0.0.
Dependency chain
astral_adapter:1.0.0 (direct dependency)
└ bionic_builder:1.0.0
└ cosmic_cybercore:1.0.0 (⚠️ violation)
└ dimensional_downloader:1.0.0
Release requirements
astral_adapter:1.0.0 requires bionic_builder >= 1.0.0
bionic_builder:1.0.0 requires cosmic_cybercore = 1.0.0
cosmic_cybercore:1.0.0 requires dimensional_downloader >= 1.0.0Python
Upgrade bionic_builder by executing the command:
pip install bionic_builder==2.0.0
See the official pip docs for more details.
NPM
There are a few strategies to use here, which work in different scenarios. NPM allows a project to use multiple versions of the same package, but it will try to resist that if there are overlapping requirements that can be met by the same version.
Use the following command to view the current usage at any given time. This will be helpful to know if the upgrade attempts were successful.
npm explain bionic_builder
Update command
The strategy you should try first is the easiest, simply call the update command:
npm update bionic_builder
Check the explain to see if this worked for your situation. If not, move to the next strategy.
Overrides
Define `overrides` in your `package.json`. This allows you fine-grained control over what versions of dependencies are used in your project, even scoping it to particular dependency chains. Overrides are powerful and can potentially allow you to use versions that do not meet the requirements of the parent package. To avoid this, always verify the changes after applying overrides. For more details on how to use overrides and scope them to specific dependency chains, refer to the official npm override documentation.
{
"overrides": {
"bionic_builder": "2.0.0"
}
}
Install as direct dependency
Another common strategy to upgrade a transitive dependency is to install the desired release as a direct dependency. If the transitive dependency's requirements match the direct dependency, NPM will "hoist" the transitive dependency, effectively upgrading the transitive dependency.
npm install bionic_builder@2.0.0
If you no longer wish for it to be a direct dependency, you can uninstall the package using npm uninstall bionic_builder. This often leaves the transitive dependency at the new, upgraded version. Use npm explain bionic_builder to confirm the changes that have occurred.
See the Official npm docs for more details.
Yarn v1
Upgrade bionic_builder by executing the command:
yarn upgrade bionic_builder
Or define `resolutions` in your `package.json`. :
{
"dependencies": {
},
"resolutions": {
"bionic_builder": "2.0.0"
}
}
See the Official yarn docs for more details.
Ruby (Rubygems)
Upgrade bionic_builder by executing the command:
bundle update bionic_builder
See the official bundler docs for more details.