How to upgrade one individual file from node_modules folder instead of upgrading the whole package

Question

I need to upgrade one of the yarn.lock file from node_modules folder to remove the Raven vulnerabilities issue.

The file path is

src/node_modules/form-data/yarn.lock

I know I can use npm install to install a new package. But is there a way that I can keep the whole package to the current version, but upgrade one file in the package?

Answer 1

You can edit the file directly. Or you can fork the package and update just the file, then publish your fork. But no, there is no way to use npm (and presumably not yarn either) to update a file without updating the package. That is by design. There are big debugging and malware possibilities if you run an npm command and have it report back that you are running version 1.2.3 but in reality you are running version 1.2.3 with one or more files modified.

I'm puzzled a bit by your desire to update a yarn.lock file in a package. yarn.lock files don't affect anything if they're inside node_modules. This is true both for npm and yarn. The yarn.lock file is ignored if it is not in your top-level project. Updating yarn.lock inside node_modules won't do anything to your running code. Perhaps the dependency is listed in your top-level yarn.lock file for your project?