Fix example transitive vulnerability for NPM without force resolutions
If you encounter problems using the NPM force-resolutions
package, you can use this alternative method to fix transitive vulnerabilities in NPM projects.
Before you begin:
- Run a Veracode SCA agent-based scan or run the
npm install
command to install dependencies. These actions result in anode_modules
folder and apackage-lock.json
appearing in your project. - Use NPM version 3.10.4 or later.
To complete this task:
-
Run the
npm shrinkwrap
command in the same directory as yourpackage.json
file.This command generates a
npm-shrinkwrap.json
file with all the dependencies currently in use. -
Find the
cookie-signature
library with the version specified in the issue details viewed previously. In this example, version 1.0.3 is vulnerable and the recommended version is 1.0.4. -
Edit the
npm-shrinkwrap.json
file to update thecookie-signature
library:"cookie-signature": {
"version": "1.0.4",
"from": "cookie-signature@1.0.4",
"resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.4.tgz"
} -
Delete the
node_modules
folder. -
Run the
npm install
command to download the updated dependency and ensure the updated version works with your project.