felipemarinho97
commented
6 years ago Updating @angular-devkit/build-angular to the latest version now fixes the hoek package security vulnerability
Open felipemarinho97 opened 6 years ago
felipemarinho97
commented
6 years ago Updating @angular-devkit/build-angular to the latest version now fixes the hoek package security vulnerability
deezone
commented
6 years ago Updating to @angular-devkit/build-angular@0.7.2 still produces the warning on Github
$ npm view @angular-devkit/build-angular version
0.7.2
$ npm list @angular-devkit/build-angular
hb-dashboard-a6@0.0.0 /Users/dee/projects/angular/hydrobytes-dashboard/hb-dashboard-a6
└── @angular-devkit/build-angular@0.7.2
felipemarinho97
commented
6 years ago @deezone please run npm ls hoek to see what package is requiring hoek.
felipemarinho97
commented
6 years ago Ok, seems that on node-sass it was fixed, the problem now is because node-gyp still requires request less than 2.87.0.
@angular-devkit/build-angular@0.7.2
└─┬ node-sass@4.9.2
└─┬ node-gyp@3.7.0
└─┬ request@2.81.0
└─┬ hawk@3.1.3
├─┬ boom@2.10.1
│ └── hoek@2.16.3 deduped
├── hoek@2.16.3
└─┬ sntp@1.0.9
└── hoek@2.16.3 deduped
This PR https://github.com/nodejs/node-gyp/pull/1471 will fix the problem on node-gyp .
Thank you for your feedback @deezone
the hoek package has a security vulnerability in 2.16.3 version. It's required by one of angular-cli dependencies, specifically, node-sass @4.9.0, as described here https://github.com/angular/angular-cli/issues/10480#issuecomment-397047518 and seen here https://github.com/sass/node-sass/issues/2355 may we will have to wait until angular-cli update its node-sass dep to v5 to see this problem solved.