thiagoelg commented on PR #3663: URL: https://github.com/apache/incubator-kie-tools/pull/3663#issuecomment-4992862130
> The direct consumers (ajv) are already at their latest versions. Great! > The vulnerability is in a transitive dep whose version range in ajv happens to permit both safe and unsafe versions. Which means we can update the transitive dependency to the safe version without overriding. > The override pins it firmly to 3.1.3 across all consumers regardless of how pnpm resolves the range in the future. Dependencies can't be easily downgraded once updated in the lockfile. Overriding is not necessary. As I said, overriding is a last-resort solution. To update fast-uri locally, I did: ```shell pnpm update -r fast-uri pnpm dedupe pnpm prune ``` The last two commands help reduce the noise generated and keep dependency versions consistent across the lockfile. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
