Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Github security warning for `hoek`

See original GitHub issue

Bug Report or Feature Request (mark with an `x`)

- [X] bug report -> please search issues before submitting

Versions

Angular CLI: 6.1.1 Node: 10.7.0 OS: linux x64 Angular: 6.1.0 … animations, common, compiler, compiler-cli, core, forms … http, language-service, platform-browser … platform-browser-dynamic, router

Package Version

@angular-devkit/architect 0.6.8 @angular-devkit/build-angular 0.6.8 @angular-devkit/build-optimizer 0.6.8 @angular-devkit/core 0.6.8 @angular-devkit/schematics 0.7.1 @angular/cdk 6.4.1 @angular/cli 6.1.1 @angular/material 6.4.1 @ngtools/webpack 6.0.8 @schematics/angular 0.7.1 @schematics/update 0.7.1 rxjs 6.2.2 typescript 2.7.2 webpack 4.8.3

Repro steps

ng new my-app
push my-app to github

You can use yarn why to see why we have hoek

yarn why hoek

=> Found "hoek@2.16.3"
info Reasons this module exists
   - "@angular-devkit#build-angular#node-sass#node-gyp#request#hawk" depends on it

The log given by the failure

This links to: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Desired functionality

Remove or bump dependency on node-sass to remove dependency on reported vulnerability in hoek.

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

clydincommented, Jul 29, 2018

To fully rectify the issue for all users, this PR (https://github.com/nodejs/node-gyp/pull/1471) is required for node-gyp followed by a release and version bump in node-sass and finally a version bump on the CLIs end.

0reactions

angular-automatic-lock-bot[bot]commented, Sep 8, 2019

This issue has been automatically locked due to inactivity. Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}

Top Results From Across the Web

hoek subject to prototype pollution via the clone function.

hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with...

Security alert (hoek package) · Issue #6399 - GitHub

My npm audit has 18 vulnerabilities, all dependencies of Semantic-UI's build process. As none are public facing, there's no need for concern.

Nose Security warning (hoek) · Issue #12 · ConsenSys/abi ... - GitHub

Nose Security warning (hoek) #12 ... webpack@2.7.0 > watchpack@1.5.0 > chokidar@2.0.2 > fsevents@1.1.3 > node-pre-gyp@0.6.39 > hawk@3.1.3 > hoek@2.16.3.

Vulnerability in hoek package · Issue #2926 · request ... - GitHub

According to what I have been told from other packages, it's a false positive from github. There is no vulnerability in that version...

hoek dependency potential security vulnerability #687 - GitHub

Github sent me the message: We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json ...