Closed robeverett closed 6 years ago
https://nodesecurity.io/advisories/566
This tells me to update to 4.2.1 or 5.0.3 or later. How do you do that ?
I'm having the same problem, i'm on version 5.0.3 and get similar errors
Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > boom > hoek More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > cryptiles > boom > hoek More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > hoek More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > sntp > hoek More info https://nodesecurity.io/advisories/566
found 4 moderate severity vulnerabilities in 19523 scanned packages 4 vulnerabilities require manual review. See the full report for details.
that's the errors i keep getting.
To update, you just have to do npm i --save-dev hoek that will update hoek to 5.0.3. however that doesn't fix the problem
however that doesn't fix the problem
The problem has already been fixed in Hoek. The problem now is that your versions of npm
and gulp-sass
need to be updated so that they are not using out-of-date versions of Hoek.
For gulp-sass
, their latest version has some extremely stale dependemcies:
└─┬ gulp-sass@4.0.1
└─┬ node-sass@4.9.2
└─┬ node-gyp@3.7.0
└─┬ request@2.81.0
└─┬ hawk@3.1.3
├─┬ boom@2.10.1
│ └── hoek@2.16.3 deduped
├── hoek@2.16.3
└─┬ sntp@1.0.9
└── hoek@2.16.3
With npm
it appears node-gyp > request > hawk > sntp > hoek
is again the bottleneck. For what it's worth I followed up and the path to hoek@2.x
has been removed entirely in node-gyp@4.0.0
over a month ago.
npm@5.6.0
├─┬ npm-lifecycle@2.0.3
│ └─┬ node-gyp@3.7.0
│ └─┬ request@2.81.0
│ └─┬ hawk@3.1.3
│ ├─┬ boom@2.10.1
│ │ └── hoek@2.16.3 deduped
│ ├── hoek@2.16.3
│ └─┬ sntp@1.0.9
│ └── hoek@2.16.3 deduped
Honestly it looks like the holdup here is specifically the node-gyp@3.x.x
release line. The latest version, 3.7.0, is limiting request@<2.82.0
here. Request, in its part, removed hawk (and therefore the stale version of Hoek) in version 2.87.0. So it seems (without digging through anymore codebases I am unfamiliar with) that node-gyp version 3 needs a patch to use request 2.87.0, or npm-lifecycle
and node-sass
need to update to node-gyp@4.0.0
At any rate, there's nothing the maintainers on Hoek can do at this point, so I'm going to go ahead and close this.
Also, for what it's worth, I opened a PR to node-gyp's 3.x line here, so with any luck this continuing problem will go away...
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
This is after I type npm audit in the command prompt, I get this twenty times:
Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of npm Path npm > libcipm > npm-lifecycle > node-gyp > request > hawk > boom > hoek More info https://nodesecurity.io/advisories/566