Keeping sub-dependencies up to date

Having installed @codemirror/lang-markdown into a project a while ago, and upgraded it a few times since then, I notice that the installed version of @lezer/markdown is still at v1.0.1 rather than the latest v1.0.2.

This makes sense, because @codemirror/lang-markdown only specifies "@lezer/markdown": "^1.0.0" as a dependency, but I wonder what the recommended method should be for keeping these kinds of sub-dependencies updated.

Should we install them independently into the project (i.e. treat @lezer/markdown as a peer dependency), or should @codemirror/lang-markdown have a more specific dependency on the latest version of @lezer/markdown?

npm is, unfortunately, rather dumb about transitive dependencies. When upgrading, killing the package lock and recreating it from scratch is usually the safest, but I guess on very large projects with some dependencies that they want to keep locked, that might be difficult as well.

This particular example was indirectly fixed by needing to import an extension from @lezer/markdown, which made it a direct dependency anyway.

For future reference, I found that npm update @lezer/markdown made the appropriate update to package-lock.json, so that would have been an acceptable solution.