Skip to main content

Fix example transitive vulnerability for Yarn 1.0 or later

Because Yarn projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript-yarn repository.

To complete this task:

  1. Add this resolutions section to your package.json file:

    "resolutions": {
      "cookie-signature": "1.0.4"
    }

    If a resolutions section already exists, add "cookie-signature": "1.0.4" to it.

  2. Run the yarn install command.

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.