The local configuration

The seal fix --mode all command fixes all the vulnerable packages for which a sealed version exists.

The CLI also supports selecting which packages to fix by using --mode local together with the local configuration file .seal-actions.yml. This file is saved in the project's root directory and contains the instructions for the fix phase.

It's important to commit this file to your source control. As such, this file should be committed to your source control, so:

1. Seal's app will recognize the vulnerability as sealed, and therefore no longer posing a threat for the project.

2. If the Seal CLI is running as part of your CI, the local configuration file allows you to apply fixes selectively, and require approval by the developers for each new fix.

Adding packages to the local configuration

For each package you wish to fix, use the following command:

seal add package-name version.

For example: seal add ejs 2.7.4. This command will add to the local configuration file an instruction to replace ejs@2.7.4 with its sealed version ejs@2.7.4-sp1. If the local configuration file does not exist, it will be generated from scratch.

To generate a local configuration file with instructions to fix everything that has a sealed version in the project, you can use seal scan --generate-local-config instead of adding packages one-by-one.

Note that it's also possible to manually edit the overrides section in the local configuration file, as its format is straightforward:

...
    overrides:
      ejs:
        2.7.4:
          use: 2.7.4-sp1