This week I ran into something strange: Yarn (classic) kept a package in
yarn.lock even though I had removed the last dependency that had the package as its dependency.
yarn why yielded „error: We couldn’t find a match!“. Which seemed to confirm my opinion that this package shouldn’t be included in the dependency tree anymore.
Turns out that the root
package.json defined a
resolution for this package, to enforce the resolution of a non-vulnerable version.
Time-consuming lesson: yarn resolutions forces a package to be installed even when it’s otherwise not required by the dependency tree. Beware to prune your resolutions if you use them whenever you remove dependencies!