pkg upgrade ca_root_nss also wants to upgrade other packages in old jail

[CyberCr33p]

I am trying to update only ca_root_nss inside an old jail that still has older packages installed.

pkg -j php72 upgrade ca_root_nss

Updating CretaForce repository catalogue...
CretaForce repository is up to date.
All repositories are up to date.
The following 7 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        libssh2: 1.11.1,3 [CretaForce]

Installed packages to be UPGRADED:
        ca_root_nss: 3.115_3 -> 3.124 [CretaForce]
        curl: 7.74.0 -> 8.20.0 [CretaForce]
        libargon2: 20190702 -> 20190702_1 [CretaForce]
        libiconv: 1.16 -> 1.18_1 [CretaForce]
        pcre: 8.44 -> 8.45_4 [CretaForce]
        unixODBC: 2.3.9 -> 2.3.12_2 [CretaForce]

Number of packages to be installed: 1
Number of packages to be upgraded: 6

This jail has intentionally old packages, so I would like to avoid upgrading unrelated packages.

Is there a safe way to upgrade only ca_root_nss in this kind of old jail while leaving the rest of the package set untouched? Maybe lock the other packages?

 

[SirDice]

Curl used to have a dependency on ca_root_nss, that's why it is getting upgraded too. The others are dependencies of curl (which need to be updated if curl itself is updated).

 

[Charlie_]

$ pkg fetch -y ca_root_nss
$ pkg delete -fy ca_root_nss
$ pkg add /var/cache/pkg/ca_root_nss-3.124.pkg