Fix example transitive vulnerability for Yarn earlier than 1.0
Because Yarn projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.
These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript-yarn repository.
To complete this task:
-
Run this command to install
cookie-signature
library 1.0.4:yarn add cookie-signature@1.0.4
-
Run this command and, when prompted, choose the latest version:
yarn install --flat
Next steps:
After completing these steps, build, test, and rescan your project to ensure the fix succeeded.