Fix example transitive vulnerability for NPM

Because NPM projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript repository. In the example, the recommended version of cookie-signature is 1.0.4.

Before you begin:

You must have already run a Veracode SCA agent-based scan or run the npm install command to install dependencies. These actions result in a node_modules folder and a package-lock.json appearing in your project.

To complete this task:

Add this resolutions section to your package.json file:
```
"resolutions": {
  "cookie-signature": "1.0.4"
}
```
If a resolutions section already exists, add "cookie-signature": "1.0.4" to it.
Add this scripts section to your package.json file:
```
"scripts": {
  "preinstall": "npx npm-force-resolutions"
}
```
If a scripts section already exists, add "preinstall": "npx npm-force-resolutions" to it. This change makes the npm install command force the version resolution of the cookie-signature library to 1.0.4, according to the resolutions section using the NPM Force Resolutions package.
Delete the node_modules folder.
Run the npm install command to download the updated dependency and ensure the updated version works with your project.

Next steps:

If you encounter problems using the NPM force-resolutions package, you can use this alternative method.

Did you find this helpful?