27

I am using express v4.16.4 in my node server.

It has pulled in cookie-signature v1.0.6.

I want to upgrade cookie-signature to v1.1.0 as it has a fix which I require. What is the way to do that ?

I don't think i should do a npm install cookie-signature@1.1.0 as it would list cookie-signature in my app dependencies.

EDIT: this discusses the exact same problem that i am looking to solve. The accepted answer is using npm-shrinkwrap, and another top voted answer using package-lock.json , but both of these seem to have issues as discussed in respective comments.

Happy to close this as a duplicate.

gaurav5430
  • 12,934
  • 6
  • 54
  • 111
  • 2
    Possible duplicate of [How do I override nested NPM dependency versions?](https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions) – jonrsharpe Jun 17 '19 at 15:33

3 Answers3

22

You might also be able to solve the issue by adding a resolutions key in the package.json to "enforce" certain versions of dependencies:

{
  "resolutions": {
    "cookie-signature": "^1.1.0"
  }
}

To actually make use of that, you have to use npm-force-resolutions in preinstall:

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

See this post for further information: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d

Andreas Siegel
  • 1,050
  • 8
  • 9
  • Awesome. I'm so glad npm figured out a manageable solution to this. – dgo May 25 '21 at 20:23
  • NPM 8 has native support for this, please check the following answer: https://stackoverflow.com/a/70490790/1043288 – Sateesh Dec 27 '21 at 00:37
12

NPM 8 introduced "overrides" which allows you to override specific transitive dependencies of your direct dependency. For your usecase, you would declare something like below in your package.json.

{
  "overrides": {
    "express": {
      "cookie-signature": "1.1.0"
    }
  }
}

More details @ https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

Sateesh
  • 735
  • 8
  • 10
1

We had a very similar problem. Protractor 5.4.2 has a dependency on webdriver-manager@^12.0.6. In package-lock.json webdriver-manager was fixed to 12.1.5. However, we needed 12.1.7 in order to make it work with all the latest chrome versions.

We noticed, that npm would install version 12.1.7 when removing node_modules and package-lock.json, but we did not find a way to automatically update package-lock.json. So these are the steps we took:

  1. Remove node_modules
  2. Remove package-lock.json
  3. Run npm install
  4. Open package-lock.json and copy the webdriver-manager section to another file
  5. Undo (git checkout) all changes in package-lock.json
  6. Copy the saved webdriver-manager part back into package-lock.json
  7. Remove node_modules
  8. Run npm install
  9. Check node_modules/protractor/node_modules/webdriver-manager/package.json that the right version was installed.

I think this workaround should work for express and cookies-signature as well.

MonsieurBon
  • 93
  • 5
  • 1
    Where in these steps are you changing the transitive dependency version? – montrealist Apr 01 '20 at 17:22
  • 2
    @montrealist step 3 writes the new version (of possibly other modules too) to `package-lock.json`, in step 6 you manually change it, from the backup created in step 4. However, I think you could skip steps 4 to 8 if you only remove `webdriver-manager` (and its dependencies, if you also require new versions there) from `node_modules` in step 1. In step 3 npm should then only write new versions for the _removed_ dependencies to the newly generated package-lock.json (check your unstaged changes). At least it worked like this in my case. – msa Feb 08 '21 at 13:20