Marsup
commented
6 years ago Github is wrong, nothing we can do.
Closed nzec closed 6 years ago
Marsup
commented
6 years ago Github is wrong, nothing we can do.
Tom-Bonnike
commented
6 years ago See comments here: https://github.com/hapijs/hoek/issues/230#issuecomment-384816142
OlafSzmidt
commented
6 years ago It's not github that's wrong. It's the CVE report that's wrong.
All references mentioned have been updated now but the main report is still outdated.
nlf
commented
6 years ago I submitted a request to update the CVE, hopefully that’ll happen soon and GitHub can get their db updated. Until that happens this is all out of my hands. I’m leaving this open in the hopes other people will find it.
lrgeoemtry
commented
6 years ago it was a good reminder of the alarm system here on git..... I have 3 git accounts in multiple orgs and get 40 notifications at once lol I added a discord channel called
how do we prevent things like this in the future?
cmfcmf
commented
6 years ago It looks like it has been updated:
inunotaisho
commented
6 years ago Same issue. The alerts are getting annoying.
LDubya
commented
6 years ago Still showing up on GitHub today
markturner
commented
6 years ago Is this warning also incorrect for 2.16.3? Or is that a genuine problem?
Marsup
commented
6 years ago 2.16.3 has been release 3.5 years ago, it's way beyond end of life, the issue is probably there and won't be patched.
phillmv
commented
6 years ago Hey y'all,
I work on the team that accidentally sent out all the extra alerts
We're sorry! We went by the CVE feed, and we didn't realize that the patch had been backported. From here on end, we'll be more careful when validating the information we alert on.
We fixed the versions we alert on back on Monday, and I personally deleted all the bad alerts earlier today. I can't do anything about the emails that got sent out, but GitHub should no longer be telling anyone about 4.2.1 being bad.
On a related note, if anyone has any ideas on how to improve the alerting product we always love feedback.
Thanks,
sobolevn
commented
6 years ago This alert also happens with snyk: https://snyk.io/test/npm/hoek/2.16.3?severity=high&severity=medium&severity=low
And nsp also reports this package as vulnerable.
> nsp check
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Prototype pollution attack │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ hoek │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 4 (Medium) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ vue_docker@0.1.0 > node-sass@4.9.0 > request@2.79.0 > hawk@3.1.3 > │
│ │ hoek@2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/566 │
└────────────┴────────────────────────────────────────────────────────────────────┘
nzec
commented
6 years ago There is incorrect information in so many databases. It will take a lot of time to get things right.
nlf
commented
6 years ago The alert pasted there is correct, you have version 2.16.3 which is over 3 years old. The version that was flagged incorrectly was 4.2.1
nlf
commented
6 years ago Github has corrected the issue for 4.2.1, so I’m closing this
BlueAccords
commented
6 years ago So just to clarify for anyone referencing this issue 2.16.3 DOES have a security vulnerability and should be updated to a more recent version if a library is depending on it?
I'm just asking because several issues referencing this vulnerability received clarification that it was a false positive and assumed all alerts involving a security vulnerability with hoek was a false positive.
WesTyler
commented
6 years ago 2.16.3 DOES have a security vulnerability and should be updated
Correct
takahser
commented
6 years ago Okay so I have this issue as well, with several packages depending on the obsolete hoek version and they all didn't update the dependency yet.
Is there an easy way to fix this? I tried to add hoek to the package.json but apparently that won't affect the hoek version when installed as a child dependency of other packages.
Do I really have to lookup all dependency chains that lead to hoek and overwrite these using an npm shrinkwrap (it's the only solution I found so far)?
Thanks.
EDIT
Since there seems not to be a better way, I actually traced back the dependencies that use hoek in my app and declared the safe version in the shrinkwrap. In my case it was used by the karma package, so if anybody has this problem with that package, u probably can just copy my config:
{
"dependencies": {
"karma": {
"version": "2.0.0",
"from": "karma@2.0.0",
"dependencies": {
"chokidar": {
"version": "1.7.0",
"from": "chokidar@1.7.0",
"dependencies": {
"fsevents": {
"version": "1.1.3",
"from": "fsevents@1.1.3",
"dependencies": {
"hawk": {
"version": "3.1.3",
"from": "hawk@3.1.3",
"dependencies": {
"boom": {
"version": "2.10.1",
"from": "boom@2.10.1",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"cryptiles": {
"version": "2.0.5",
"from": "cryptiles@2.0.5",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
},
"sntp": {
"version": "1.0.9",
"from": "sntp@1.0.9",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
}
}
}
}
}
}
}
}
},
"boom": {
"version": "2.10.1",
"from": "boom@2.10.1",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"cryptiles": {
"version": "2.0.5",
"from": "cryptiles@2.0.5",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
},
"sntp": {
"version": "1.0.9",
"from": "sntp@1.0.9",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
}
}
}(after that, just run npm install an u're done)
dgvandehey
commented
6 years ago I received a warning on GitHub about startbootstrap-grayscale-gh-pages/package-lock.json being vulnerable. So, is this incorrect? CVE is common Threats and Vulnerabilities? Can I search this warning out or is GitHub just overreacting? Thanks
WesTyler
commented
6 years ago If the version is lower than 4.2.1, or in the 5.x line before 5.0.3 then yes you need to upgrade the Hoek version.
dgvandehey
commented
6 years ago Thanks how do I update? I’m learning to code and haven’t dealt with this before. Can you advise? Thanks
Sent from my iPhone
On May 15, 2018, at 6:20 AM, Wes Tyler notifications@github.com wrote:
If the version is lower than 4.2.1, or in the 5.x line before 5.0.3 then yes you need to upgrade the Hoek version.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
WesTyler
commented
6 years ago If you run npm install hoek@4.2.x or npm install hoek@5 in your project, it will grab the latest matching version and should automatically update your package-lock.json :)
dgvandehey
commented
6 years ago Thanks, sorry if I might sound a little clueless on this, but I would run this in the command line or is there a bit of code I need to run in the html code. I’m new to this and don’t understand the process yet. Thanks
Sent from my iPhone
On May 15, 2018, at 7:47 AM, Wes Tyler notifications@github.com wrote:
If you run npm install hoek@4.2.x or npm install hoek@5 in your project, it will grab the latest matching version and should automatically update your package-lock.json :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
WesTyler
commented
6 years ago No worries! We all start from the beginning at some point :)
You will run the npm install in the command line, while you are inside of the project directory.
dgvandehey
commented
6 years ago Hi Wes, I went through the steps and I think it updated the package-lock.json. Is there a way to check if it did or not? Thanks again for the help.
On Tue, May 15, 2018 at 7:47 AM, Wes Tyler notifications@github.com wrote:
If you run npm install hoek@4.2.x or npm install hoek@5 in your project, it will grab the latest matching version and should automatically update your package-lock.json :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/hapijs/hoek/issues/247#issuecomment-389194399, or mute the thread https://github.com/notifications/unsubscribe-auth/ASjVKFQgd2oKm8JGOj1jpLo4RHHnx1qZks5tyuqcgaJpZM4Tp8lm .
interglobalmedia
commented
6 years ago Hi, I'm getting the following in my local repo (on my machine) re hoek:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-gifsicle > gifsicle > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-gifsicle > gifsicle > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-mozjpeg > mozjpeg > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-mozjpeg > mozjpeg > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-optipng > optipng-bin > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-optipng > optipng-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-pngquant > pngquant-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-webp > cwebp-bin > bin-build │
│ │ > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-webp > cwebp-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-gifsicle > gifsicle > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-gifsicle > gifsicle > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-jpegtran > jpegtran-bin > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-jpegtran > jpegtran-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-optipng > optipng-bin > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-optipng > optipng-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-pngquant > pngquant-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > cryptiles > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 21 moderate severity vulnerabilities in 57568 scanned packages
21 vulnerabilities require manual review. See the full report for details.And I can't for the life of me get rid of these vulnerabilities. Github is also not allowing me to push my build to gh-pages because of them. How can I rectify the matter? There might be a couple of other dependencies included here. Disregard those. Thanks!
inunotaisho
commented
6 years ago This issue may seem like a non-issue, but it is starting to get really annoying.
nlf
commented
6 years ago This issue is a non-issue. I will not set a precedent for maintaining a three year old release. Update your dependencies. If you have a dependency that uses a three year old version of one of its dependencies and won’t update, it sounds to me like you need to find a replacement for it.
Once again, I repeat, I will not patch hoek@2.x. It won’t happen. I won’t merge it if someone else patches it either. You don’t maintain ancient versions of your libraries so don’t expect me to.
juanjzv
commented
5 years ago So is there any other solution to fix the problem of several packages depending of obsolete versions of hoek apart from @takahser solution?
WesTyler
commented
5 years ago No, those packages need to update their dependencies.
lock[bot]
commented
4 years ago This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
So I have got this repository : https://github.com/duttaditya18/learn-node-js
Which has got this as a dependency.
GitHub is showing me, that there is a vulnerability in this dependency.
See this :
The link takes us to : https://nvd.nist.gov/vuln/detail/CVE-2018-3728
I am not using this in production. But, is this something to be worried about? And what does this mean? I want to know.