Vulnerable dependencies in 1.1.4

Version 1.1.4 (the latest version as of this writing) has dependencies with known security vulnerabilities. Thank you in advance for looking into this! 😄

Is this a bug report?

Yes

Did you try recovering your dependencies?

Yes

Which terms did you search for in User Guide?

security, vulnerability, hoek

Environment

1. node -v: v8.11.1
2. npm -v: 6.0.0
3. yarn --version (if you use Yarn): N/A
4. npm ls react-scripts (if you haven’t ejected):

ganymede@0.1.0 /home/rdebeasi/Projects/ganymede
└── react-scripts@1.1.4 

1. Operating system: Fedora 27
2. Browser and version (if relevant): N/A

Steps to Reproduce

1. Test react-scripts 1.1.4 on Snyk
2. Create a new project with create-react-app
3. Run npm install
4. Run npm ls hoek

Expected Behavior

• Snyk finds no vulnerabilities in create-react-app.
• react-scripts relies on a version of hoek newer than 5.0.3 or 4.2.1.

Actual Behavior

• Snyk finds 2 medium severity vulnerabilities and 4 low severity vulnerabilities.
• react-scripts relies on hoek 4.2.1, which is affected by CVE-2018-3728. (I noticed this issue because GitHub flagged hoek as a vulnerability in my create-react-app project.)

[rdebeasi@rdebeasi ganymede]$ npm ls hoek
ganymede@0.1.0 /home/rdebeasi/Projects/ganymede
└─┬ react-scripts@1.1.4
  └─┬ jest@20.0.4
    └─┬ jest-cli@20.0.4
      └─┬ jest-environment-jsdom@20.0.3
        └─┬ jsdom@9.12.0
          └─┬ request@2.85.0
            └─┬ hawk@6.0.2
              ├─┬ boom@4.3.1
              │ └── hoek@4.2.1  deduped
              ├─┬ cryptiles@3.1.2
              │ └─┬ boom@5.2.0
              │   └── hoek@4.2.1  deduped
              ├── hoek@4.2.1 
              └─┬ sntp@2.1.0
                └── hoek@4.2.1  deduped

See also “Security vulnerability: hoek” in the Jest repo

Reproducible Demo

N/A