Yarn will avoid updating transitive dependencies if you’re not actively updating the source of the transitive dependency.
This is reasonably well-motivated: say you depend on package A
which depends on "B": "^1.0.0"
, and Yarn resolves B
at 1.0.1
and you later install package C
which depends on "B": "^1.0.2"
, A
says it’s compatible with that version, but it’s still possible for A to be relying on broken behavior in B 1.0.1
which got fixed in 1.0.2
, so Yarn leaves the original in place instead of updating it, and you just end up with two copies of B
in your dependency graph; A
uses the original and C
uses a new one.
That is broadly preferable for Node-side applications, because it means you can control it by explicitly upgrading A
or even A
’s version of B
, but it never happens implicitly.
To work around it in cases like this, you can volta install yarn-deduplicate
and then run yarn-deduplicate
in your repo, and that will usually clear out issues like this as long as