Given explicit dependency
jsonwebtokenhas resolved implicit dependency
jws=3.1.4: and you need it to instead resolve to patched
jwsentry e.g. below from yarn.lock, and re-run
yarn. The indirect dependency and any affected packages will be updated, without touching other things (on yarn v1.3 at least)
Took me a while to find a good process for this. I needed it to apply a security update to all indirect dependencies. Thank goodness for kind strangers like Alex Thewsey.
This related writeup is also linked in that comment thread.