We are using Jenkins Dependency-Track and it's reporting that we have vulnerable dependencies. Many of these are coming from deep sub-dependencies of our packages so we do not have the option of upgrading the packages directly. It seems like the correct solution here is to use Yarn resolutions in order to globally pin updated versions of the vulnerable dependencies. Doing this correctly sets the version numbers in our yarn.lock, however the vulnerability report remains unchanged. 
Does anyone know what the problem could be? We are using Yarn v2.
from Jenkins Buildmaster Dependency-Track does not react to Yarn Resolutions
No comments:
Post a Comment