How can I get a warning-free Node.js build?

Question

When bootstrapping a new Expo project with expo init ..., I see the following warning (among about a dozen others) right off the bat:

warning expo > [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

OK, great. I understand the concern. Then, I go over here and see that, while there are some possible breakages, I went through and verified that none of the calling code seems to run afoul of them. Then, using Yarn resolutions, I add this to my package.json:

  "resolutions": {
    "uuid": "7.0.3",
    ...
  }

Next, I delete node_modules and yarn.lock, and yarn install again, and now I get this warning:

warning Resolution field "[email protected]" is incompatible with requested version "uuid@^3.4.0"

So, essentially, I've traded one warning for another. What I really want here is an error and warning free build. I'm willing to accept responsibility for the breakage I might cause by pinning "incompatible" versions. Or if I could turn these warnings on/off (one by one) somehow, it'd be suboptimal, but I'd probably be fine with that.

I come from a previous life of developing safety-critical systems in C & C++, where we operated under a doctrine of 'warnings are errors waiting to happen; no warnings allowed ever.' I've noticed from looking at many other Node.js projects that many folks working in this ecosystem seem to just say, "Warnings? YOLO!", and I can see why, TBH. When the problematic dependency is a 7 layer deep, transitive dependency (all 7 of which you didn't write, don't "own", and are unlikely to be able to edit/fix, and 6 of which you didn't even explicitly ask for) I can see how it might be easy to say, "Not my problem!" and push onward.

But is it really the case that there's just no hope for a warning free build? I thought resolutions would be the solution to this, and it was helpful for one dependency that was a "compatible" version, but I'm driving myself nuts trying to figure out how to simply get a clean build on an effectively empty (i.e. no code of my own) project. There have to be companies/teams out there with similar desires, so I'm assuming there's some solution I'm not aware of. Does anyone have any hot tips?

I've tried:

• yarn resolutions (as described)
• npm-force-resolutions (seems like an abomination -- it edits your packages-lock.json, requires 'double installing')
• force-resolutions (which looks like just a newer fork of npm-force-resolutions, and has the same issues).
• I've read about NPM v8.3's overrides (and it looks promising, TBH), but Expo's cloud building service uses NPM v8.1, so that's off the table until some nebulous moment in the future.

I just can't believe this an unsolvable problem, or that I'm somehow the first person to try to solve it. Thanks!