Dependabot doesn't provide transitive dependency version #32317

cah-ken · 2022-09-08T14:45:06Z

cah-ken
Sep 8, 2022

Hi,

In a dependabot alert, if it is unable to update a dependency due to a transitive dependency restriction, a message like the following will be displayed:

1.2.6 is the version on minimist where the vulnerability is fixed, however it doesn't mention what versions of mkdirp or build-angular are needed in order to remove the constraint. Is there a way, either in or outside dependabot, to determine the versions needed to fix the issue? I've looked all over but I've been unable to find a place that lists dependencies by version.

Thanks,
Ken

Answered by cah-ken

Sep 8, 2022

I've found a solution.

Use the following command to list the versions of a package: npm view @angular-devkit/build-angular versions
Run the following command, incrementing the version, until you find the version that no longer uses the vulnerable package: npx npm-remote-ls @angular-devkit/build-angular@12.2.14 | findstr ' minimist@'

View full answer

cah-ken · 2022-09-08T16:00:39Z

cah-ken
Sep 8, 2022
Author

I've found a solution.

Use the following command to list the versions of a package: npm view @angular-devkit/build-angular versions
Run the following command, incrementing the version, until you find the version that no longer uses the vulnerable package: npx npm-remote-ls @angular-devkit/build-angular@12.2.14 | findstr ' minimist@'

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Dependabot doesn't provide transitive dependency version #32317

{{title}}

Replies: 1 comment 2 replies

{{title}}

Select a reply

GitHub Community

Dependabot doesn't provide transitive dependency version #32317

cah-ken Sep 8, 2022

Replies: 1 comment · 2 replies

cah-ken Sep 8, 2022 Author

cah-ken
Sep 8, 2022

Replies: 1 comment 2 replies

cah-ken
Sep 8, 2022
Author