I have a maven application which uses ReactJS for the front-end and it is using ansi-html:0.0.7 currently. This led to vulnerability alert by GitHub dependabot and it asks me to upgrade to version @^0.0.8.
Usually when I need to upgrade something, I go to yarn.lock file and delete the respective block of configuration and run yarn install/build again which installs the latest version of the dependency.
However, in this case, it is only re-installing 0.0.7 and not 0.0.8 or higher.
I even tried adding the package "ansi-html":"0.0.8" in package.json file and reinstalled everything. Still, no luck.
How can fix this?
Thanks in advance.
I know this is an old question, but I am going to add an answer anyway for general knowledge.
From what I understood from the question, ansi-html is a sub-dependency of other dependency in your application. Before forcing a new version of a sub-dependency you need to know what package uses this dependency. You can do that by running
The output will tell you what package in the project that uses that dependency. If that package has a new version then upgrade to it. If that doesn't work, you can force the affected package to use a newer version of it by adding it to the resolutions section of package.json file
Then try to do a full yarn install or npm install
I don't like this approach and I only use it as a last resort, because if you do any upgrades in the future, it will force sub-dependencies to always download the versions of the resolution section and it could cause issues in the future. So please use it when there is no other solution