I have a react project with a dependency on [email protected]. Snyk flags a transitive vulnerability issue with [email protected] so I’ve added a yarn resolution to get the correct version. However, it seems to be getting ignored. How can I force yarn to load the 2.0.4 version of loader-utils?
I’ve tried this resolution format:
"resolutions": {
"**/browserify-sign": "4.2.3",
"**/@babel/traverse":"7.25.3",
"**/decode-uri-component":"0.2.2",
"**/nth-check":"2.0.1",
"**/semver":"7.5.2",
"**/ws":"7.5.10",
"**/follow-redirects":"1.15.6",
"**/elliptic": "6.5.7",
"**/loader-utils":"2.0.4",
"**/minimist":"1.2.6"
}
And this resolution format:
"resolutions": {
"**/browserify-sign": "4.2.3",
"**/@babel/traverse":"7.25.3",
"**/decode-uri-component":"0.2.2",
"**/nth-check":"2.0.1",
"**/semver":"7.5.2",
"**/ws":"7.5.10",
"**/follow-redirects":"1.15.6",
"**/elliptic": "6.5.7",
"**/[email protected]":"2.0.4",
"**/minimist":"1.2.6",
"**/[email protected]": "1.4.1"
}
npm ls loader-utils provides this:
└─┬ [email protected] -> .applicationsmy-app
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected] deduped
├─┬ [email protected]
│ └── [email protected] deduped
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ @pmmmwh/[email protected]
│ │ └── [email protected]
│ ├─┬ @svgr/[email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ └── [email protected] deduped
└─┬ [email protected]
└── [email protected] deduped
The resolutions are all in a parent package.json file.