We are using Jenkins Dependency-Track and it's reporting that we have vulnerable dependencies. Many of these are coming from deep sub-dependencies of our packages so we do not have the option of upgrading the packages directly. It seems like the correct solution here is to use Yarn resolutions in order to globally pin updated versions of the vulnerable dependencies. Doing this correctly sets the version numbers in our yarn.lock, however the vulnerability report remains unchanged.
Does anyone know what the problem could be? We are using Yarn v2.
This was happening because our main project has a sub-project with its own
package.jsonthat is used for QA purposes. Its dependencies were not being shown when doingyarn why <dep>which gave the false impression that everything was updated.