Updating transitive dependencies

Developers trying to upgrade / remove vulnerable dependencies from their applications may find themselves needing to update a transitive dependency, or a dependency that is not directly mentioned in their application’s manifest file. Here is a quick primer on updating transitive dependencies across some of Tidelift’s supported platforms.

Scenario

Imagine your project relies on astral_adapter:1.0.0 which has the following dependency chain and release requirements, and you want to upgrade the transitive dependency bionic_builder to version 2.0.0.

Dependency chain

astral_adapter:1.0.0 (direct dependency)
└ bionic_builder:1.0.0
  └ cosmic_cybercore:1.0.0 (⚠️ violation)
    └ dimensional_downloader:1.0.0

Release requirements

astral_adapter:1.0.0 requires bionic_builder >= 1.0.0
bionic_builder:1.0.0 requires cosmic_cybercore = 1.0.0
cosmic_cybercore:1.0.0 requires dimensional_downloader >= 1.0.0

NPM

There are a few strategies to use here, which work in different scenarios. NPM allows a project to use multiple versions of the same package, but it will try to resist that if there are overlapping requirements that can be met by the same version.

Use the following command to view the current usage at any given time. This will be helpful to know if the upgrade attempts were successful.

npm explain bionic_builder

Update command

The strategy you should try first is the easiest, simply call the update command:

npm update bionic_builder

Check the explain to see if this worked for your situation. If not, move to the next strategy.

Overrides

Define `overrides` in your `package.json`. This allows you fine-grained control over what versions of dependencies are used in your project, even scoping it to particular dependency chains. Overrides are powerful and can potentially allow you to use versions that do not meet the requirements of the parent package. To avoid this, always verify the changes after applying overrides. For more details on how to use overrides and scope them to specific dependency chains, refer to the official npm override documentation.

  {
    "overrides": {
      "bionic_builder": "2.0.0"
    }
  }

Install as direct dependency

Another common strategy to upgrade a transitive dependency is to install the desired release as a direct dependency. If the transitive dependency's requirements match the direct dependency, NPM will "hoist" the transitive dependency, effectively upgrading the transitive dependency.

npm install bionic_builder@2.0.0

If you no longer wish for it to be a direct dependency, you can uninstall the package using npm uninstall bionic_builder. This often leaves the transitive dependency at the new, upgraded version. Use npm explain bionic_builder to confirm the changes that have occurred.

See the Official npm docs for more details.


Yarn v1

Upgrade bionic_builder by executing the command:

yarn upgrade bionic_builder

Or define `resolutions` in your `package.json`.  :

  {
    "dependencies": {
    },
    "resolutions": {
      "bionic_builder": "2.0.0"
    }
  }

See the Official yarn docs for more details.


Ruby (Rubygems)

Upgrade bionic_builder by executing the command:

bundle update bionic_builder

See the official bundler docs for more details.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section