How to upgrade indirect dependencies?

[chinesedfan]

Do you want to request a feature or report a bug?

Feature.

What is the current behavior?
yarn upgrade ignores indirect dependencies, so users can't upgrade them in yarn.lock. If I missed something, please tell me.

If the current behavior is a bug, please provide the steps to reproduce.

• Suppose a new empty project, run yarn add is-alphanumerical@1.0.0
  • 2 indirect dependencies, is-alphabetical and is-decimal, will be installed and saved in yarn.lock
  • the latest version of is-alphabetical is 1.0.1 now, if another new version, say 1.0.2 was released(to test, you can release 2 test packages by yourself or modify is-alphabetical to be 1.0.0 in yarn.lock, ** I know modifying yarn.lock directly is not a regular operation**)
• No matter which of following ways, yarn always says All of your dependencies are up to date
  • yarn upgrade is-alphabetical
  • yarn upgrade-interactive
  • yarn upgrade-interactive is-alphabetical

What is the expected behavior?
yarn upgrade also supports indirect dependencies.

Please mention your node.js, yarn and operating system version.
Node 8.9.0
yarn 1.3.2
OSX 10.12.6

[milesj]

@chinesedfan Have you tried yarn upgrade-interactive?

[chinesedfan]

@milesj Yes, it results in the same result and I also updated reproduce steps in issue description.

[rally25rs]

That is because yarn add is-alphanumerical@1.0.0 sets your package.json to exactly version 1.0.0 as you requested.

yarn upgrade respects your package.json semver range, and since you specified exactly version 1.0.0, it won't offer to upgrade to other versions.

You could resolve this a couple ways:

• yarn upgrade --latest will ignore semver range and see what is tagged as latest in the registry.
• change package.json to accept a version range like ^1.0.0 then yarn upgrade (you might have to yarn install first to get it to update the lock file for the changed range)
• explicitly specify a version to upgrade, like yarn upgrade is-alphanumerical@1.0.1 or yarn upgrade is-alphanumerical@^1.0.0

---

Edit:

Sorry, I just noticed there are different package names. alphanumerical and alphabetical look the same at a glance :)

Right, since there is no upgrade for is-alphanumerical, the dependency tree isn't traversed any deeper to handle its transitive dependencies.

You could try adding the --force flag and see if that makes it the subdependencies. Otherwise I think you are right, there isn't an easy way to do that other than yarn remove is-alphanumerical and yarn add is-alphanumerical

[chinesedfan]

@rally25rs Thanks for your reply! I tested 2 more cases.

• yarn upgrade is-alphabetical --force doesn't work, either.
• yarn upgrade is-alphanumerical will upgrade ALL its subdependencies even if it is already latest.
  • But if I just want to upgrade a specified subdependency, that is still not very convenient.

[OneCyrus]

yes, this is a major problem with yarn at the moment. and it's already in discussion at #2394

[rally25rs]

duplicate #2394

[AlexWayfer]

Please, re-open: it's not duplicate.

#2394 describes duplicating of meck-test-bb package (indirect dependency):

I got two copies of meck-test-bb

This issue describes just ability to upgrade indirect dependency (somehow).

[chinesedfan]

@rally25rs Forgive me to ping.

[AlexWayfer]

@rally25rs, please, you've closed both non-duplicating issues, it's wrong. Give us ability to upgrade indirect dependencies, please!

[rally25rs]

Sorry, there was some confusion over on the other issue. I originally thought 2394 was asking for a way to upgrade a transitive dep using a --deep flag, or something like that, so I had marked this issue as a duplicate of that. Later on after re-reading 2394 I think it was about something different, which is not a duplicate of this like I originally thought.

[alex-thewsey-ibm]

+1 for this feature request. Also an example for anybody dumb like me who needs to upgrade a specific indirect dependency manually in the interim:

Given explicit dependency jsonwebtoken has resolved implicit dependency jws^3.0.0 to vulnerablejws=3.1.4: and you need it to instead resolve to patched 3.1.5:

Delete the jws entry e.g. below from yarn.lock, and re-run yarn. The indirect dependency and any affected packages will be updated, without touching other things (on yarn v1.3 at least)

jws@^3.0.0, jws@^3.1.4:
  version "3.1.4"
  resolved "https://registry.npmjs.org/jws/-/jws-3.1.4.tgz#f9e8b9338e8a847277d6444b1464f61880e050a2"
  dependencies:
    base64url "^2.0.0"
    jwa "^1.1.4"
    safe-buffer "^5.0.1"

Edit: Punctuation

[mkutny]

@alex-thewsey-ibm, thanks for the workaround!

Worked on yarn v1.7.

[Subtletree]

ty, worked Yarn 1.9.2

[joelpurra]

Might help to nudge yarn with selective dependency resolutions, even if it's for a single dependency. Thanks to @remolueoend for the hint!
https://yarnpkg.com/lang/en/docs/selective-version-resolutions/

From the docs:

{
  "name": "project",
  "version": "1.0.0",
  "dependencies": {
    "left-pad": "1.0.0",
    "c": "file:../c-1",
    "d2": "file:../d2-1"
  },
  "resolutions": {
    "d2/left-pad": "1.1.1",
    "c/**/left-pad": "1.1.2"
  }
}

[matthewtusker]

If you are using old stable version (e.g. 1.22.x) : I didn't find better solution than : https://medium.com/@ayushya/upgrading-javascript-packages-deep-dependencies-using-yarn-8b5983d5fb6b

This works far better than any of the solutions listed here. yarn up --recursive loader-utils upgrades loader-utils, but has also upgraded a bunch of other stuff, and has still left to disparate versions. Deleting the lines from the lock file and then running yarn install installs a single version.

[pftg]

If you are using old stable version (e.g. 1.22.x) : I didn't find better solution than : https://medium.com/@ayushya/upgrading-javascript-packages-deep-dependencies-using-yarn-8b5983d5fb6b

This works far better than any of the solutions listed here. yarn up --recursive loader-utils upgrades loader-utils, but has also upgraded a bunch of other stuff, and has still left to disparate versions. Deleting the lines from the lock file and then running yarn install installs a single version.

@matthewtusker Here is a script that I used to do the same: #4986 (comment)

[microJ]

If you are using old stable version (e.g. 1.22.x) : I didn't find better solution than : https://medium.com/@ayushya/upgrading-javascript-packages-deep-dependencies-using-yarn-8b5983d5fb6b

work for me.
simply, I want to upgrade react-native@0.63.5, then run yarn remove react-native && yarn add react-native@0.63.5 work for me well

[safydy]

the combination of yarn remove & yarn add did work for me as workaround.

yarn remove myPackage; yarn add myPackage

[jrochkind]

the combination of yarn remove & yarn add

I do not believe that works for indirect dependencies -- dependencies not specifically listed in your package.json. That's what this issue is about, it's in the title, "how to upgrade indirect dependencies."

If it does work for indirect dependencies, please confirm, and what yarn version you are using.

I think this zombie issue has become probably unproductive and incoherent at this point.

[gonadarian]

I use the following "clean" approach (without touching yarn.lock) in such situations.

If, as described in original example, we have:

• yarn add is-alphanumerical@1.0.0
  • installs is-alphabetical v1.0.1

I would do these 3 steps:

1. yarn add is-alphabetical@1.0.2
   • gives duplicated is-alphabetical with both original v1.0.1 & new v1.0.2 in yarn.lock
2. npx yarn-deduplicate
   • deduplicates to only the latest is-alphabetical v1.0.2
3. yarn remove is-alphabetical
   • cleans up package.json
4. profit!

[romainmenke]

We switched the entire release strategy of postcss-preset-env to accommodate yarn but in hindsight I think this was a mistake. We should have left the issue as is as it wasn't ours to fix.

Our current setup :

• build a dependency graph of all parts of postcss-preset-env
• check if any part needs to be released
• release only those parts that don't themselves depend on unreleased parts
• update all downstream dependents with the newly released part's version
• go to step 1

We repeat this until the entire graph has been updated and released.

Obviously a small change in a deeply buried part (e.g. a tokenizer) escalates to ±50 releases of packages that didn't themselves have any code changes.

This in turn creates a lot of noice for our users.

We don't like this solution and ideally we wouldn't have to do stuff like this.

We are only doing this because yarn fails to correctly update transitive dependencies, leading to conflicts when peer dependencies are used.

No other package manager is affected by this issue.

[rjimenezda]

Hey there.

I am in the process of updating a big workspace where there are many vulnerabilities that would be solved trivially by semver.

An example would be, I have a vitest ^1.6.0 installed, which whenever it was added to the repo, resolved a vite dependency to 5.0.8 (vitest 1.6.0 depends on vite ^5.0.0).

I thought removing the dependency and reinstalling it would upgrade to the latest vite, but if you do so the exact same version of the indirect dependency (vite) is installed.

I would expect there to be a simple way to tell yarn to upgrade a dependency and its dependency tree, or at the very least, letting me do a clean install. I even tried removing vitest 1.6.0 from the local cache, to no avail.

If I initialize a different yarn project and install vitest@^1.6.0 it installs the latest compatible vite version, as semver indicates.

Any workarounds? How does yarn decide to install the exact same version even if I removed it from yarn lock and the cache?

[ClementValot]

@rjimenezda Quick idea there for a workaround, you may be able to leverage yarn dedupe

yarn add vite@latest
yarn dedupe
yarn remove vite

Would install the latest vite version, then deduplicate the vite dependency along semver to only keep the latest, then remove the explicit dependency.

Also, have you checked whether somewhere in your project you would have another transitive dependency to vite which prevents upgrading to somthing higher than 5.0.8? yarn why vite should help in that case

[rjimenezda]

@ClementValot that does work! However, on workspaces is kind of a mess, because it updates all vite uses across the monorepo, not just for the one you are currently on, and we wanted to do these updates gradually.

Also, it still feels incredibly convoluted. I'm still kind of baffled that deleting and reinstalling does not recalculate the most updated subdependencies, while on a fresh yarn project it does. I guess it's an optimization, but I can't figure out how to work around it.

Regarding the second one, no, it does not seem like it. There is a dependency in the middle of vitest and vite, which is vite-node, but yarn why doesn't give any hint as of why it would not work.

[rjimenezda]

I think figured out why vite is not upgraded in that particular case. I'll just type it out in case someone is on the same boat as I am.

Since there are several projects in the monorepo that depend on vites => vite-node => vite@^5.0.0, it seems like for yarn a viteˆ5.0.0 must always be resolved the same way. There is no way to say this particular vite^5.0.0 of this particular dependency chain in this workspace should use version X or Y.

That means, if I want to upgrade vite as an indirect dependency in the monorepo (because of vulnerabilities), I must upgrade it across all projects that depend on the same specified range.

I guess this is a very core design choice that probably has heaps of advantages, it's just kind of annoying for our very particular use case.

[robertknight]

I wrote a dumb tool to automate the process of editing yarn.lock to remove the existing resolutions and then re-running yarn install: https://github.com/robertknight/yarn-update-indirect.

npm install yarn-update-indirect
yarn-update-indirect some-transitive-dep