From c8313eaa9442856c687ef979eb2a71aea4aa0f9d Mon Sep 17 00:00:00 2001 From: Gordon Messmer Date: Thu, 9 Mar 2023 18:53:24 -0800 Subject: [PATCH 1/2] Provide best-practice guidance for managing yarn.lock In order to ensure that users don't have long-lived security vulnerabilities in their applications, it would be very helpful to provide direct, specific guidance on updating indirect dependencies, which can otherwise remain versioned locked for long periods of time. --- lang/en/docs/cli/upgrade.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lang/en/docs/cli/upgrade.md b/lang/en/docs/cli/upgrade.md index dcf43ae4f..87b39070e 100644 --- a/lang/en/docs/cli/upgrade.md +++ b/lang/en/docs/cli/upgrade.md @@ -93,3 +93,10 @@ Examples: yarn upgrade --scope @angular yarn upgrade -S @angular ``` + +Note: + +Users should be aware that when yarn.lock is present, indirect dependencies +will only be updated by `yarn upgrade` without a package name. In order to +maintain the security of their applications, users should ensure that `yarn +upgrade` is a regular part of their development process. From 2231c860073743cb532b14c0450504152abe2e03 Mon Sep 17 00:00:00 2001 From: Gordon Messmer Date: Sat, 11 Mar 2023 23:12:28 -0800 Subject: [PATCH 2/2] Use the common "note" style. --- lang/en/docs/cli/upgrade.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lang/en/docs/cli/upgrade.md b/lang/en/docs/cli/upgrade.md index 87b39070e..c72e1ac4b 100644 --- a/lang/en/docs/cli/upgrade.md +++ b/lang/en/docs/cli/upgrade.md @@ -94,8 +94,7 @@ yarn upgrade --scope @angular yarn upgrade -S @angular ``` -Note: - +**Note:** Users should be aware that when yarn.lock is present, indirect dependencies will only be updated by `yarn upgrade` without a package name. In order to maintain the security of their applications, users should ensure that `yarn