ipfs / js-ipfsd-ctl

Control an IPFS daemon (go-ipfs or js-ipfs) using JavaScript!
https://ipfs.github.io/js-ipfsd-ctl
Other
154 stars 62 forks source link

Transitive dep hapi@16 > cryptiles@3.1.4 triggers incorrect security advisory warnings on github #312

Closed olizilla closed 4 years ago

olizilla commented 5 years ago

The ipfs-desktop repo has a incrorrect sercurity advisory on it's transitive dep on cryptiles, which it gets via ipfsd-ctl > hapi > cryptiles.

$ npm ls cryptiles
ipfs-desktop@1.0.0 /Users/oli/Code/ipfs-shipyard/ipfs-desktop
└─┬ ipfsd-ctl@0.40.0
  └─┬ hapi@16.7.0
    ├── cryptiles@3.1.4 
    ├─┬ iron@4.0.5
    │ └── cryptiles@3.1.4  deduped
    └─┬ statehood@5.0.3
      └── cryptiles@3.1.4  deduped

The alert https://github.com/ipfs-shipyard/ipfs-desktop/network/alert/package-lock.json states we have to upgrade to cryptiles>=4.1.2 which would only be possible by updating to hapi@17.

screenshot 2018-12-04 at 10 18 07

but here we see the fix for the issue backported and release in cryptiles@3.1.3

This is just a record of the digging I did so others can rest easy. As long as you see cryptiles>=3.1.3 you can ignore the alert. It's annoying, I know.

achingbrain commented 5 years ago

This should be fixed by #353 as it upgrades hapi to v18 which depends on @hapi/cryptiles@4.2.0