Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Vulnerabilities introduced by package hoek
See original GitHub issueHi ,@matthew-dean @lukeapage , there are 2 vulnerabilities in your package:
Issue Description
2 vulnerabilities CVE-2018-3728 and npmjs-advisories-566 detected in package hoek@2.16.3 is transitively referenced by less@2.7.3. We noticed that such vulnerabilities have been removed since less@3.0.2.
However, less’s popular previous version less@2.7.3 (217,198 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 12,232 downstream projects, e.g., safecheck-client 3.0.8-aode-11, telephone-clients 3.0.57-8, apply-clients 3.0.7-125, weaver-mobile 1.17.8, css-inliner 2.0.0, @felixrieseberg/electron-prebuilt-compile@9.4.4, etc.). As such, issues CVE-2018-3728 and npmjs-advisories-566 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade less from version 2.7.3 to 3.*.* . For instance, less@2.7.3 is introduced into the above projects via the following package dependency path:
(1)@felixrieseberg/electron-prebuilt-compile@9.4.4 ➔ electron-compilers@5.9.0 ➔ less@2.7.3 ➔ request@2.81.0 ➔ hawk@3.1.3 ➔ boom@2.10.1 ➔ hoek@2.16.3
…
The projects such as electron-compilers which introduced less@2.7.3 are not maintained anymore. These unmaintained packages can neither upgrade less nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package less@2.7.3?
Suggested Solution
Since these unactive projects set a version constaint ~2.7.* for less on the above vulnerable dependency paths, if less removes the vulnerabilities from 2.7.3 and releases a new patched version less@2.7.4, such a vulnerability patch can be automatically propagated into the 12,232 affected downstream projects.
In less@2.7.4, you can kindly try to perform the following upgrade:
request 2.81.0 ➔ 2.82.0;
Note:
request@2.82.0 (>=2.82.0) transitively depends on hoek@4.2.1 (a vulnerabilities CVE-2018-3728 and npmjs-advisories-566 patched version)
Thanks again for your contributions.
Best regards, Paimon
Issue Analytics
- State:
- Created 2 years ago
- Comments:15 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@sigveio Thanks for your advise. Keep it in my mind. Learnt a lesson.
@sigveio wait, what in the world? 😮