Vulnerabilities introduced by package hoek
See original GitHub issueHi ,@matthew-dean @lukeapage , there are 2 vulnerabilities in your package:
Issue Description
2 vulnerabilities CVE-2018-3728 and npmjs-advisories-566 detected in package hoek@2.16.3 is transitively referenced by less@2.7.3. We noticed that such vulnerabilities have been removed since less@3.0.2.
However, less’s popular previous version less@2.7.3 (217,198 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 12,232 downstream projects, e.g., safecheck-client 3.0.8-aode-11, telephone-clients 3.0.57-8, apply-clients 3.0.7-125, weaver-mobile 1.17.8, css-inliner 2.0.0, @felixrieseberg/electron-prebuilt-compile@9.4.4, etc.). As such, issues CVE-2018-3728 and npmjs-advisories-566 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade less from version 2.7.3 to 3.*.* . For instance, less@2.7.3 is introduced into the above projects via the following package dependency path:
(1)@felixrieseberg/electron-prebuilt-compile@9.4.4 ➔ electron-compilers@5.9.0 ➔ less@2.7.3 ➔ request@2.81.0 ➔ hawk@3.1.3 ➔ boom@2.10.1 ➔ hoek@2.16.3
…
The projects such as electron-compilers which introduced less@2.7.3 are not maintained anymore. These unmaintained packages can neither upgrade less nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package less@2.7.3?
Suggested Solution
Since these unactive projects set a version constaint ~2.7.* for less on the above vulnerable dependency paths, if less removes the vulnerabilities from 2.7.3 and releases a new patched version less@2.7.4, such a vulnerability patch can be automatically propagated into the 12,232 affected downstream projects.
In less@2.7.4, you can kindly try to perform the following upgrade:
request 2.81.0 ➔ 2.82.0
;
Note:
request@2.82.0 (>=2.82.0) transitively depends on hoek@4.2.1 (a vulnerabilities CVE-2018-3728 and npmjs-advisories-566 patched version)
Thanks again for your contributions.
Best regards, Paimon
Issue Analytics
- State:
- Created 2 years ago
- Comments:15 (6 by maintainers)
Top GitHub Comments
@sigveio Thanks for your advise. Keep it in my mind. Learnt a lesson.
@sigveio wait, what in the world? 😮