// Bump a transitive dependency to a patched version using pnpm. Use when Dependabot reports a security vulnerability in a transitive dependency and cannot auto-update it, or when the user mentions bumping, upgrading, or patching a transitive dependency.
| name | bump-transitive-dependency |
| description | Bump a transitive dependency to a patched version using pnpm. Use when Dependabot reports a security vulnerability in a transitive dependency and cannot auto-update it, or when the user mentions bumping, upgrading, or patching a transitive dependency. |
pnpm cannot update transitive dependencies directly, so dependabot can't either. This skill works around that limitation by temporarily adding the package as a direct dependency, deduplicating, then removing it.
The user provides at minimum:
markdown-it)Optionally:
14.1.1)>= 13.0.0, < 14.1.1)Run the procedure in both the root project and the example/ directory. The dependency may only exist in one of them. For each location:
pnpm why <package> shows no results, skip that location and note it in the final report.Use --dir to target each location (e.g. pnpm --dir example why <package>), or cd as appropriate.
Check for the dependency:
Run pnpm why <package>. If it isn't found, skip this location.
Verify the vulnerability (if version info was provided): Confirm the currently resolved version falls within the affected range.
Add the package as a direct dependency:
pnpm add <package>
If a specific patched version was provided, pin to at least that version:
pnpm add <package>@^<patched-version>
Deduplicate:
pnpm dedupe
Remove the direct dependency:
pnpm remove <package>
This leaves the bumped transitive resolution in the lockfile.
Verify the fix:
Run pnpm why <package> again to confirm the resolved version is now at or above the patched version.
Report results for both locations, showing before/after versions for each. If the dependency wasn't present in a location, note that explicitly.