Robospecta
commented
4 years ago I am also experiencing the same issue. Running npm audit lists these vulnerabilities. Trying to run npm audit fix provides an error indicating these vulnerabilities cannot be fixed automatically.
To elaborate, the reason behind this is because the current hapi package has been moved/deprecated, and is not receiving critical updates to address these vulnerabilities. The newer version of the hapi package lives at a different address and I believe has resolved these security vulnerabilities.
I recommend updating the hapi dependency in the package.json to point to the location of the new package (@hapi/hapi).
Serverless-offline-python installs the cryptiles package (hapi dependency) with a know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-1000620