You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CLAUDE.md
+18-4Lines changed: 18 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -255,22 +255,36 @@ Images added to `.mdx` files in `docs/` should be wrapped in a `<Frame>` compone
255
255
256
256
When fixing a CVE in a transitive dependency, prefer a real top-level upgrade over a forced `resolutions` override.
257
257
258
-
1.**Trace the dependency chain** to find which top-level package in `package.json` brings in the vulnerable transitive dep:
258
+
1.**Trace the dependency chain to a package in your own `package.json`.** Run:
259
259
260
260
```bash
261
261
yarn why <vulnerable-package> --recursive
262
262
```
263
263
264
-
2.**Prefer bumping the top-level dependency**to a version whose transitive tree no longer includes the vulnerable version. This is a real, supported upgrade and avoids forcing a version on a consumer that may not expect it.
264
+
"Top-level" means a package **literally listed in this repo's root or workspace `package.json`**under `dependencies`, `devDependencies`, or `peerDependencies` — not just any ancestor in the chain. If the chain is `vulnerable-pkg → mid-pkg → top-pkg`, do not stop at `mid-pkg`; keep walking until you reach `top-pkg`.
265
265
266
-
3.**Fall back to a `resolutions` override** only if no top-level bump resolves it (no compatible version exists, or it would require a breaking major). Match the existing format in `package.json` and pin with `^`, not `>=`:
266
+
2.**Check whether the existing ranges already allow a patched version.** Often the lockfile is just stale: every `^x.y.z` range in the chain still admits the patched version, but `yarn.lock` was written before that version existed. In that case, refresh the lockfile entry — no `package.json` change, no `resolutions` override:
267
+
268
+
```bash
269
+
yarn up <intermediate-or-vulnerable-pkg>
270
+
# or, to refresh many at once:
271
+
yarn dedupe
272
+
```
273
+
274
+
This is the lightest-weight fix: it doesn't force a version, it just bumps the lock to the latest version that satisfies the constraints already in the tree. Verify with `yarn why <vulnerable-package>` afterward — if every instance is now patched, you're done.
275
+
276
+
3.**If a refresh isn't enough, bump the top-level dependency** to a version whose transitive tree no longer includes the vulnerable version. This is also a real, supported upgrade. Verify the upgrade actually removes the vulnerable version with `yarn why <vulnerable-package>` after running `yarn install`.
277
+
278
+
4.**Fall back to a `resolutions` override** only if neither a refresh nor a top-level bump resolves it (no compatible version exists in the existing ranges, or a top-level upgrade would require a breaking major). Use the **qualified** form keyed to the existing source range (not a bare key, which overrides every requester unnecessarily), and pin with `^`, not `>=`:
267
279
268
280
```json
269
281
"resolutions": {
270
-
"<pkg>@npm:<existing-range>": "^<patched>"
282
+
"<pkg>@npm:<existing-source-range>": "^<patched>"
271
283
}
272
284
```
273
285
286
+
The `<existing-source-range>` is whatever range is currently requesting the vulnerable version (find it in `yarn.lock`, e.g. `^2.8.3`). Avoid the bare-key form `"<pkg>": "^x.y.z"`.
287
+
274
288
### Branch naming for CVE fixes
275
289
276
290
Use a **package-keyed** branch name, not a CVE-keyed one:
0 commit comments