Open felipemarinho97 opened 6 years ago
Updating @angular-devkit/build-angular
to the latest version now fixes the hoek package security vulnerability
Updating to @angular-devkit/build-angular@0.7.2
still produces the warning on Github
$ npm view @angular-devkit/build-angular version
0.7.2
$ npm list @angular-devkit/build-angular
hb-dashboard-a6@0.0.0 /Users/dee/projects/angular/hydrobytes-dashboard/hb-dashboard-a6
└── @angular-devkit/build-angular@0.7.2
@deezone please run npm ls hoek
to see what package is requiring hoek.
Ok, seems that on node-sass it was fixed, the problem now is because node-gyp still requires request less than 2.87.0.
@angular-devkit/build-angular@0.7.2 └─┬ node-sass@4.9.2 └─┬ node-gyp@3.7.0 └─┬ request@2.81.0 └─┬ hawk@3.1.3 ├─┬ boom@2.10.1 │ └── hoek@2.16.3 deduped ├── hoek@2.16.3 └─┬ sntp@1.0.9 └── hoek@2.16.3 deduped
This PR https://github.com/nodejs/node-gyp/pull/1471 will fix the problem on node-gyp .
Thank you for your feedback @deezone
the hoek package has a security vulnerability in 2.16.3 version. It's required by one of angular-cli dependencies, specifically, node-sass @4.9.0, as described here https://github.com/angular/angular-cli/issues/10480#issuecomment-397047518 and seen here https://github.com/sass/node-sass/issues/2355 may we will have to wait until angular-cli update its node-sass dep to v5 to see this problem solved.