Menu
I am using express v4.16.4 in my node server.
It has pulled in cookie-signature v1.0.6.
I want to upgrade cookie-signature to v1.1.0 as it has a fix which I require. What is the way to do that ?
I don't think i should do a npm install [email protected] as it would list cookie-signature in my app dependencies.
EDIT: this discusses the exact same problem that i am looking to solve. The accepted answer is using npm-shrinkwrap, and another top voted answer using package-lock.json , but both of these seem to have issues as discussed in respective comments.
Happy to close this as a duplicate.
769
You might also be able to solve the issue by adding a resolutions key in the package.json to "enforce" certain versions of dependencies:
{
"resolutions": {
"cookie-signature": "^1.1.0"
}
}
To actually make use of that, you have to use npm-force-resolutions in preinstall:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
See this post for further information: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
