Skip to main content

Fix example transitive vulnerability for Yarn earlier than 1.0

Because Yarn projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript-yarn repository.

To complete this task:

  1. Run this command to install cookie-signature library 1.0.4:

    yarn add cookie-signature@1.0.4
  2. Run this command and, when prompted, choose the latest version:

    yarn install --flat

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.