If you encounter problems using the NPM
force-resolutions package, you can use this alternative method to fix transitive vulnerabilities in NPM projects.
Before you begin:
- Run a Veracode SCA agent-based scan or run the
npm installcommand to install dependencies. These actions result in a
node_modulesfolder and a
package-lock.jsonappearing in your project.
- Use NPM version 3.10.4 or later.
To complete this task:
npm shrinkwrapcommand in the same directory as your
This command generates a
npm-shrinkwrap.jsonfile with all the dependencies currently in use.
cookie-signaturelibrary with the version specified in the issue details viewed previously. In this example, version 1.0.3 is vulnerable and the recommended version is 1.0.4.
npm-shrinkwrap.jsonfile to update the
"from": "[email protected]",
npm installcommand to download the updated dependency and ensure the updated version works with your project.