Because NPM projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.
Before you begin:
You must have already run a Veracode SCA agent-based scan or run the
npm install command to install dependencies. These actions result in a
node_modules folder and a
package-lock.json appearing in your project.
To complete this task:
resolutionssection to your
resolutionssection already exists, add
"cookie-signature": "1.0.4"to it.
scriptssection to your
"preinstall": "npx npm-force-resolutions"
scriptssection already exists, add
"preinstall": "npx npm-force-resolutions"to it. This change makes the
npm installcommand force the version resolution of the
cookie-signaturelibrary to 1.0.4, according to the
resolutionssection using the NPM Force Resolutions package.
npm installcommand to download the updated dependency and ensure the updated version works with your project.
If you encounter problems using the NPM
force-resolutions package, you can use this alternative method.