dominictarr/rc

latest version of "rc" contains older version of its dependent

sarita-kumari-dev opened this issue · 1 comments

In yarn.lock file of my application I have "rc" : "1.2.8", but the issue is it has a dependent package "strip-json-comments" which takes very old version of itself.
its latest one is "3.1.0" and it is taking "2.0.1" which leads to security defect in application.

Below is the dependency tree of yarn.lock -
rc@^1.0.1, rc@^1.1.2, rc@^1.1.6, rc@^1.2.8:
version "1.2.8"
resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==
dependencies:
deep-extend "^0.6.0"
ini "~1.3.0"
minimist "^1.2.0"
strip-json-comments "~2.0.1"