Closed nzec closed 6 years ago
Github is wrong, nothing we can do.
See comments here: https://github.com/hapijs/hoek/issues/230#issuecomment-384816142
It's not github that's wrong. It's the CVE report that's wrong.
All references mentioned have been updated now but the main report is still outdated.
I submitted a request to update the CVE, hopefully that’ll happen soon and GitHub can get their db updated. Until that happens this is all out of my hands. I’m leaving this open in the hopes other people will find it.
it was a good reminder of the alarm system here on git..... I have 3 git accounts in multiple orgs and get 40 notifications at once lol I added a discord channel called
how do we prevent things like this in the future?
It looks like it has been updated:
Same issue. The alerts are getting annoying.
Still showing up on GitHub today
Is this warning also incorrect for 2.16.3
? Or is that a genuine problem?
2.16.3 has been release 3.5 years ago, it's way beyond end of life, the issue is probably there and won't be patched.
Hey y'all,
I work on the team that accidentally sent out all the extra alerts
We're sorry! We went by the CVE feed, and we didn't realize that the patch had been backported. From here on end, we'll be more careful when validating the information we alert on.
We fixed the versions we alert on back on Monday, and I personally deleted all the bad alerts earlier today. I can't do anything about the emails that got sent out, but GitHub should no longer be telling anyone about 4.2.1 being bad.
On a related note, if anyone has any ideas on how to improve the alerting product we always love feedback.
Thanks,
This alert also happens with snyk
: https://snyk.io/test/npm/hoek/2.16.3?severity=high&severity=medium&severity=low
And nsp
also reports this package as vulnerable.
> nsp check
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Prototype pollution attack │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ hoek │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 4 (Medium) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ vue_docker@0.1.0 > node-sass@4.9.0 > request@2.79.0 > hawk@3.1.3 > │
│ │ hoek@2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/566 │
└────────────┴────────────────────────────────────────────────────────────────────┘
There is incorrect information in so many databases. It will take a lot of time to get things right.
The alert pasted there is correct, you have version 2.16.3 which is over 3 years old. The version that was flagged incorrectly was 4.2.1
Github has corrected the issue for 4.2.1, so I’m closing this
So just to clarify for anyone referencing this issue 2.16.3 DOES have a security vulnerability and should be updated to a more recent version if a library is depending on it?
I'm just asking because several issues referencing this vulnerability received clarification that it was a false positive and assumed all alerts involving a security vulnerability with hoek was a false positive.
2.16.3 DOES have a security vulnerability and should be updated
Correct
Okay so I have this issue as well, with several packages depending on the obsolete hoek version and they all didn't update the dependency yet.
Is there an easy way to fix this? I tried to add hoek to the package.json but apparently that won't affect the hoek version when installed as a child dependency of other packages.
Do I really have to lookup all dependency chains that lead to hoek and overwrite these using an npm shrinkwrap (it's the only solution I found so far)?
Thanks.
EDIT
Since there seems not to be a better way, I actually traced back the dependencies that use hoek
in my app and declared the safe version in the shrinkwrap. In my case it was used by the karma package, so if anybody has this problem with that package, u probably can just copy my config:
{
"dependencies": {
"karma": {
"version": "2.0.0",
"from": "karma@2.0.0",
"dependencies": {
"chokidar": {
"version": "1.7.0",
"from": "chokidar@1.7.0",
"dependencies": {
"fsevents": {
"version": "1.1.3",
"from": "fsevents@1.1.3",
"dependencies": {
"hawk": {
"version": "3.1.3",
"from": "hawk@3.1.3",
"dependencies": {
"boom": {
"version": "2.10.1",
"from": "boom@2.10.1",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"cryptiles": {
"version": "2.0.5",
"from": "cryptiles@2.0.5",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
},
"sntp": {
"version": "1.0.9",
"from": "sntp@1.0.9",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
}
}
}
}
}
}
}
}
},
"boom": {
"version": "2.10.1",
"from": "boom@2.10.1",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"cryptiles": {
"version": "2.0.5",
"from": "cryptiles@2.0.5",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
},
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
},
"sntp": {
"version": "1.0.9",
"from": "sntp@1.0.9",
"dependencies": {
"hoek": {
"version": "5.0.3",
"from": "hoek@5.0.3"
}
}
}
}
}
(after that, just run npm install an u're done)
I received a warning on GitHub about startbootstrap-grayscale-gh-pages/package-lock.json being vulnerable. So, is this incorrect? CVE is common Threats and Vulnerabilities? Can I search this warning out or is GitHub just overreacting? Thanks
If the version is lower than 4.2.1, or in the 5.x line before 5.0.3 then yes you need to upgrade the Hoek version.
Thanks how do I update? I’m learning to code and haven’t dealt with this before. Can you advise? Thanks
Sent from my iPhone
On May 15, 2018, at 6:20 AM, Wes Tyler notifications@github.com wrote:
If the version is lower than 4.2.1, or in the 5.x line before 5.0.3 then yes you need to upgrade the Hoek version.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
If you run npm install hoek@4.2.x
or npm install hoek@5
in your project, it will grab the latest matching version and should automatically update your package-lock.json :)
Thanks, sorry if I might sound a little clueless on this, but I would run this in the command line or is there a bit of code I need to run in the html code. I’m new to this and don’t understand the process yet. Thanks
Sent from my iPhone
On May 15, 2018, at 7:47 AM, Wes Tyler notifications@github.com wrote:
If you run npm install hoek@4.2.x or npm install hoek@5 in your project, it will grab the latest matching version and should automatically update your package-lock.json :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
No worries! We all start from the beginning at some point :)
You will run the npm install
in the command line, while you are inside of the project directory.
Hi Wes, I went through the steps and I think it updated the package-lock.json. Is there a way to check if it did or not? Thanks again for the help.
On Tue, May 15, 2018 at 7:47 AM, Wes Tyler notifications@github.com wrote:
If you run npm install hoek@4.2.x or npm install hoek@5 in your project, it will grab the latest matching version and should automatically update your package-lock.json :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/hapijs/hoek/issues/247#issuecomment-389194399, or mute the thread https://github.com/notifications/unsubscribe-auth/ASjVKFQgd2oKm8JGOj1jpLo4RHHnx1qZks5tyuqcgaJpZM4Tp8lm .
Hi, I'm getting the following in my local repo (on my machine) re hoek:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-gifsicle > gifsicle > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-gifsicle > gifsicle > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-mozjpeg > mozjpeg > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-mozjpeg > mozjpeg > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-optipng > optipng-bin > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-optipng > optipng-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-pngquant > pngquant-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-webp > cwebp-bin > bin-build │
│ │ > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-webp > cwebp-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-gifsicle > gifsicle > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-gifsicle > gifsicle > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-jpegtran > jpegtran-bin > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-jpegtran > jpegtran-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-optipng > optipng-bin > │
│ │ bin-build > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-optipng > optipng-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ imagemin-webpack-plugin [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ imagemin-webpack-plugin > imagemin-pngquant > pngquant-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > cryptiles > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 21 moderate severity vulnerabilities in 57568 scanned packages
21 vulnerabilities require manual review. See the full report for details.
And I can't for the life of me get rid of these vulnerabilities. Github is also not allowing me to push my build to gh-pages because of them. How can I rectify the matter? There might be a couple of other dependencies included here. Disregard those. Thanks!
This issue may seem like a non-issue, but it is starting to get really annoying.
This issue is a non-issue. I will not set a precedent for maintaining a three year old release. Update your dependencies. If you have a dependency that uses a three year old version of one of its dependencies and won’t update, it sounds to me like you need to find a replacement for it.
Once again, I repeat, I will not patch hoek@2.x. It won’t happen. I won’t merge it if someone else patches it either. You don’t maintain ancient versions of your libraries so don’t expect me to.
So is there any other solution to fix the problem of several packages depending of obsolete versions of hoek apart from @takahser solution?
No, those packages need to update their dependencies.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
So I have got this repository : https://github.com/duttaditya18/learn-node-js
Which has got this as a dependency.
GitHub is showing me, that there is a vulnerability in this dependency.
See this :![GitHub message](https://i.imgur.com/QWFY2c2.png)
The link takes us to : https://nvd.nist.gov/vuln/detail/CVE-2018-3728
I am not using this in production. But, is this something to be worried about? And what does this mean? I want to know.