thiagoelg commented on PR #3663:
URL: 
https://github.com/apache/incubator-kie-tools/pull/3663#issuecomment-4992862130

   > The direct consumers (ajv) are already at their latest versions.
   
   Great!
   
   > The vulnerability is in a transitive dep whose version range in ajv 
happens to permit both safe and unsafe versions.
   
   Which means we can update the transitive dependency to the safe version 
without overriding.
   
   > The override pins it firmly to 3.1.3 across all consumers regardless of 
how pnpm resolves the range in the future.
   
   Dependencies can't be easily downgraded once updated in the lockfile. 
Overriding is not necessary.
   
   As I said, overriding is a last-resort solution.
   
   To update fast-uri locally, I did:
   
   ```shell
   pnpm update -r fast-uri
   pnpm dedupe
   pnpm prune
   ```
   
   The last two commands help reduce the noise generated and keep dependency 
versions consistent across the lockfile.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to