A modern programming language that makes developers happier.

kotlinlang

Hello everyone.
Do you know if there is a way to overrides the version of a transitive dependency imported using `npm` on Kotlin JS ?
Today on Ktor there is a <https://github.com/ktorio/ktor/blob/84daf56dcef0e42f768c389d20c58d1be4a94fa3/ktor-client/ktor-client-core/build.gradle.kts#L25|dependency on ws> with the <https://github.com/ktorio/ktor/blob/84daf56dcef0e42f768c389d20c58d1be4a94fa3/gradle/libs.versions.toml#L60|version 8.5.0>. And this version have a known vulnerability (<https://github.com/advisories/GHSA-3h5v-q93c-6h6q|cf here>).
So when exporting a KMP project, this dependency will be explicit on the package.json of the productionLibrary.
The vulnerability itself is not a big deal but automated Yarn audits on Web project are alerting about this vulnerability and I'm looking for a way to either enforce a more recent version or avoid this dependency, as we don't use it.

I use, `kotlinWrappers.nullWritable` in a project. This has an NPM dependency on `null-writable` `2.0.1`. For a reason I wanted to try with `1.0.5`. I added an NPM dependency on that version and it was indeed used. So maybe try to simply depend on the version you want. Maybe declaration order is relevant.

Indeed ! It does not remove the dependency on the project kotlin-js-store/yarn.lock but I didn't realised that it overrides the version on the exported package.json. Thanks a lot :slightly_smiling_face: