Fix example transitive vulnerability for NPM without force resolutions

If you encounter problems using the NPM force-resolutions package, you can use this alternative method to fix transitive vulnerabilities in NPM projects.

Before you begin:

Run a Veracode SCA agent-based scan or run the npm install command to install dependencies. These actions result in a node_modules folder and a package-lock.json appearing in your project.
Use NPM version 3.10.4 or later.

To complete this task:

Run the npm shrinkwrap command in the same directory as your package.json file.

This command generates a npm-shrinkwrap.json file with all the dependencies currently in use.
Find the cookie-signature library with the version specified in the issue details viewed previously. In this example, version 1.0.3 is vulnerable and the recommended version is 1.0.4.

Edit the npm-shrinkwrap.json file to update the cookie-signature library:

"cookie-signature": {
  "version": "1.0.4",
  "from": "[email protected]",
  "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.4.tgz"
}

Delete the node_modules folder.
Run the npm install command to download the updated dependency and ensure the updated version works with your project.

Did you find this helpful?