yarn.lockrespectively). The lockfile prevent getting automatic updates when deploying (when doing
npm/yarn installin your server). This mechanism helps prevent malicious updates from being installed without you realizing it, but it is necessary that you always keep packages updated for possible bug fixes and improvements.
ignore-scriptsoption in npm or Yarn:
yarn outdatedis possible to see if their packages are outdated. Another good feature of this package manager is
yarn audict, functions that check for known security issues with installed packages.Another good resource to use is tools to notify you when any dependency of yours has a vulnerability like GitHub security alerts.