If you're facing an inflight
vulnerability from a veracode
(or any other SCA tool) scan, then it probably comes from eslint
package. This might not be the case for all scenarios but the SCA tool typically shows you a dependancy graph where you can drill down on the involved packages. In the case that it is eslint
for you then here's the fix that clears the SCA scan error:
You probably have eslint
under the dependancies section in the package.json
(of course, duuh). Just move the eslint
package into the devDependancies
because that is where it belongs in the first place. The SCA tool knows that as a dev dependancy, it is only used for the development phase and will not affect the production code.
As always, I hope this helps someone 😌.
Top comments (1)
Please let me know if this workaround will work with Sonatype-(Nexus scan) report generation as well ? @thecodeinfluencer