hoek node module vulnerability

[econnally]

FYI the hoek node module is popping up on our dependency graph with this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

[dpvc]

MathJax-node has jsdom as a dependency, and that in turn has request as a dependency, which requires hawk which uses hoek. It looks like hawk has updated their version of hoek, but that request is using an old version of hawk. Unfortunately, we can't fix those dependencies from our end (at least I don't see how). The maintainers of request would need to update their dependency to include a higher version of hawk.

[econnally]

FWIW sounds like a false positive by github: https://github.com/request/request/issues/2926#issuecomment-385087487

[dpvc]

Thanks for the pointers to the issue. Glad to see that it is not really a vulnerability!

[JessicaSachs]

Here's Github's response. TL;DR: they've gone through and deleted the bad alerts, and promised to be better about validating if security vulnerabilities are legit before putting alerts out.