Perform dependency remediation for Yarn Berry
Problem to solve
Relates to: #263358 (closed)
With MR we introduced support for Yarn v2 lock files in Gemnasium without remediation.
Remediation for Yarn v1 is using yarn upgrade
which can update a dependency according to its version requirements.
Starting from Yarn v2 yarn upgrade
has been replaced by yarn up
which will not respect the version requirements and will try to upgrade the dependency to its latest version. For example if we have "express": "^3.16.10"
and execute yarn up express
we will end up with "express": "^4.18.2"
. Judging from Yarn v2 documentation and this issue doesn't seem to have plans to provide something similar to yarn upgrade
.
We should be able to support yarn remediation for Yarn v2 and v3 (berry) like we do for Yarn v1 (classic).
Proposal
One way to achieve remediation is using yarn add --caret as described here
Implementation plan
TBD