0

in my react app , i have integrated veracode. In the scan reports it is picking up the libraries from package-lock.json and showing it as high vulnerability.While those packages are in latest version in package.json. Some of the libraries in package-lock.json requires the previous versions of libraries , like this

Invalid: lock file's lodash@4.17.4 does not satisfy lodash@4.17.15

Is there anyway to fix the lock file version number.

Thanks in advance.

SDK
  • 1,356
  • 3
  • 19
  • 44
  • Better to scan `package-lock.json` for any vulnerabilities since it takes the precedence while installing `node_modules` for your `production` environment. Have you tried deleting `package-lock.json`, generation again with `npm install` and committing new/updated `package-lock.json`? – Prathap Reddy Jul 14 '20 at 05:32
  • yes i have regenerated the package-lock.json. But the version number is not yet updated – SDK Jul 14 '20 at 06:11
  • Try deleting `package-lock.json`, `lodash` folder in `node_modules` and do `npm install`. – Prathap Reddy Jul 14 '20 at 06:14

0 Answers0