Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerability in hoek package

See original GitHub issue

There is a vulnerability in the hoek package which is required by hawk that request depends on.

Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem.

Issue Analytics

State:
Created 5 years ago
Reactions:92
Comments:29 (1 by maintainers)

Top GitHub Comments

36reactions

nlfcommented, Apr 27, 2018

yes, hi 👋 hoek maintainer here. version 4.2.1 has been patched. github’s alerts are currently wrong. i’ve submitted a request to correct the version range in the CVE and also harassed some kind folks at github to take care of things on their end. hopefully they’ll stop reporting that version as vulnerable soon.

18reactions

dan-nlcommented, Apr 27, 2018

as far as i understand it, the issue is with a cve, https://nvd.nist.gov/vuln/detail/CVE-2018-3728, regarding hoek < v5.0.3; request v2.85.1 requires hawk ~6.0.2, which requires hoek 4.x.x. request requires hawk ~6.0.2 to maintain compatibility with node 4.

the cve states that “hoek node module before 5.0.3 suffers from …” and references https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee as a fix in hoek v5.0.3
however, hoek v4.2.1 also has that fix: https://github.com/hapijs/hoek/commit/5aed1a8c4a3d55722d1c799f2368857bf418d6df https://github.com/hapijs/hoek/blob/v4.2.1/lib/index.js#L116

thus, it appears that the cve is incorrectly considering hoek v4.2.1 as vulnerable and may be why so many github repos are now reporting a vulnerability. i sent an email to nvd.nist.gov about the issue.

Top Results From Across the Web

hoek - npm Package Health Analysis - Snyk

Ensure you're using the healthiest npm packages. Snyk scans all the packages in your projects for vulnerabilities and provides automated fix advice.

How to get rid of the 'hoek' vulnerabilities - Stack Overflow

You should run rm package-lock.json && npm update && npm install , if this still doesn't fix your issue, you can then continue...

Security Vulnerability of Dependencies for Node.js App ...

For example, to fix the vulnerability in hoek package, just run 'npm install hoek' to install the latest version of hoek. npm audit...

Auditing package dependencies for security vulnerabilities

Security audits help you protect your package's users by enabling you to find and fix known vulnerabilities in dependencies that could cause data...

A security vulnerability has been identified in Node.js hoek ...

Node.js hoek is shipped as a component of Data Science Experience Local. Information about a security vulnerability affecting Node.js hoek has been ...