It's 4:30 on a Friday and GitHub hits you with one of these:


How do you make this go away and still get home on time? If GitHub's automated security fixes feels like admitting defeat or errors out on you, Yarn can make it easy.

If Github's vulnerability report looks like this:


And you don't depend on lodash directly (meaning it's a transitive dependency), an easy solution is to add a "resolutions" field to your package.json with the patched version within its semver range. So in this case our package.json would include these lines:

  "resolutions": {
    "lodash": "^4.17.13"

Now if you run yarn, it'll update your yarn.lock file to force every transitive dependency to use the patched version instead. Afterwards, if you push up your new yarn.lock to GitHub, the warning will disappear. 🎉