Hello everyone. Do you know if there is a way to overrides the version of a transitive dependency imported using

npm

on Kotlin JS ? Today on Ktor there is a dependency on ws with the version 8.5.0. And this version have a known vulnerability (cf here). So when exporting a KMP project, this dependency will be explicit on the package.json of the productionLibrary. The vulnerability itself is not a big deal but automated Yarn audits on Web project are alerting about this vulnerability and I'm looking for a way to either enforce a more recent version or avoid this dependency, as we don't use it.

I use,

kotlinWrappers.nullWritable

in a project. This has an NPM dependency on

null-writable

2.0.1

. For a reason I wanted to try with

1.0.5

. I added an NPM dependency on that version and it was indeed used. So maybe try to simply depend on the version you want. Maybe declaration order is relevant.

Indeed ! It does not remove the dependency on the project kotlin-js-store/yarn.lock but I didn't realised that it overrides the version on the exported package.json. Thanks a lot 🙂