1. Direct Dependencies (Project Packages)

Update version in package.json:

{
  "dependencies": {
    "axios": "^0.21.1"  // vulnerable
    "axios": "^1.6.0"   // fixed
  }
}

pnpm install

2. Transitive Dependencies (Child Packages)

When a vulnerable package is a dependency of your dependency, use overrides:

Workflow

  1. Add override to package.json
  {
    "pnpm": {
      "overrides": {
        "semver": "^7.5.4"  // force fixed version globally
      }
    }
  }
  1. Install and update lock
  pnpm install
  1. Remove override from package.json (to see if parent package upgraded it naturally)
  pnpm install
  1. Check if vulnerability is gone
  pnpm audit

If vulnerability returns → restore override and keep it

If clean → you’re done

Checking Vulnerabilities 

  pnpm audit                    # see all issues
  pnpm audit --fix              # auto-fix where possible
  pnpm why <package-name>       # see dependency chain

Tips

  • Specific overrides: Use "parent-package>child-package": "version" for surgical fixes
  • Version ranges: Use >= if you need minimum version (e.g., "semver": ">=7.5.4")
  • Test after: Always run tests after updating dependencies
  • Review overrides periodically: Parent packages may upgrade deps in newer versions

Made by @gatisr

Page last modified: 10:00 12.02.2026.

This site uses Just the Docs, a documentation theme for Jekyll.