CVE-2018-3728/NSP-566 Vulnerability

[tjdavey]

This module is currently shown as vulnerable by Node Security checks due to its reliance on a vulnerable version of hoek through the joi dependency.

NSP Security Advisory: https://nodesecurity.io/advisories/566 CVE Advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3728

[tjdavey]

As there doesn't appear to be a 1.x release branch to create a pull request against, I don't have any way of creating a PR for a security release for the Hapi 12.x-16.x releases, however, there is a branch with the required update, branching from the v1.1.3 release here: https://github.com/tjdavey/hapi-qs/tree/1.x-joi-security

[dafortune]

Thanks a lot! PR merged and fixed version published as v1.1.4 and v2.0.1

Regarding 1.x version we cannot use Joi 13.x as in your branch because it depends on node >=8.9 whereas Hapi >=12 <=16 that is supported by version 1.x.x works on node ranging from 4 to 8, I've updated to Joi 12 which depends on Hoek 4.x.x which has been patched on version 4.2.0.

[tjdavey]

@dafortune Ah, thanks. I completely overlooked the Node support problem. Thanks for resolving!