Force-resolutions
Annabella Wasik
When i run npm i everything is installed correctly, the set versions are taken in to account. But later on when I install an additional module, e.g. npm i random-package, my set versions are being thrown away and I endup with [email protected] and other low versions in some dependencies.
Hi @NthDegree the only way which worked for me was to first run the normal npm install and then add the packages-lock.json file to git. After doing that when you add "preinstall": "npx npm-force-resolutions", it always updates the dependency resolution to the version mentioned.
I need to force a specific package version in a nested dependency. For something like this, npm-force-resolutions works great. A typical solution is to add the script "preinstall": "npx npm-force-resolutions" and "resolutions": with a list of package names as keys and versions as values.
The problem I'm facing is that for security reasons in my environment, I don't have access to npx. A solution I tried to come up with was to install npm-force-resolutions as a dev dependency, then add ./node_modules/.bin/npm-force-resolutions as a postinstall script in the package.json file:
Sadly, after running npm install, the resolutions were not updated (in the above example, node-fetch was still at ^1.7.3). Once npm was finished installing all packages, however, running ./node_modules/.bin/npm-force-resolutions manually does force the resolutions as expected (changing node-fetch above from ^1.7.3 to ^2.6.1).
This project was created because npm-force-resolutions became not suitable for the necesities the team I was working in had. We needed to avoid triggering the execution of the script when there was no package-lock.json, descriptive error logs, descriptive logs during the execution, faster download times, compatibility with multiple npm versions and faster execution times.
These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript repository. In the example, the recommended version of cookie-signature is 1.0.4.
You must have already run a Veracode SCA agent-based scan or run the npm install command to install dependencies. These actions result in a node_modules folder and a package-lock.json appearing in your project.
If a scripts section already exists, add "preinstall": "npx npm-force-resolutions" to it. This change makes the npm install command force the version resolution of the cookie-signature library to 1.0.4, according to the resolutions section using the NPM Force Resolutions package.
This is understood out of the box by Yarn and it is called selective dependency resolutions. NPM doesn't understand it without the help of the package npm-force-resolutions as far as my short research showed me.
e59dfda104