Support indirect dependency (lockfile) updates for vulnerability alerts #28464
jalaziz
started this conversation in
Suggest an Idea
Replies: 1 comment 1 reply
-
That would require some complex logic, because sometimes it doesn't help or isn't possible to do a deep update and you need to pin the transitive dependency explicitly in the |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Tell us more.
I know this is not currently supported, but it would be great if Renovate could update indirect dependencies in lock files when a vulnerability alert is triggered against them.
While this can be indirectly handled with
lockFileMaintenance
, it's a pretty heavy hammer when a targeted update would be better for understanding why the update is important.In our case, the issue is with the
mio
dependency that is an indirect dependency fortokio
. Thistokio
issue helps explain why this would be useful.Beta Was this translation helpful? Give feedback.
All reactions