Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in hoek package (only in development dependencies) #9

Closed
Borewit opened this issue Apr 27, 2018 · 0 comments
Closed

Vulnerability in hoek package (only in development dependencies) #9

Borewit opened this issue Apr 27, 2018 · 0 comments
Labels
security Security related issue, like a vulnerability

Comments

@Borewit
Copy link
Owner

Borewit commented Apr 27, 2018
edited

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

There is a vulnerability in the hoek package, which is a development dependency:

+-- coveralls@3.0.0
| `-- request@2.85.0
|   +-- hawk@6.0.2
|   | | `-- hoek@4.2.0
|   | | `-- boom@5.2.0
|   | |   `-- hoek@4.2.0
|   | +-- hoek@4.2.0
|   | `-- sntp@2.1.0
|   |   `-- hoek@4.2.0

Nota that request is using an old version of hawk@6.0.2: request/request#2926
@Borewit Borewit added the security Security related issue, like a vulnerability label Apr 27, 2018
Borewit added a commit that referenced this issue Apr 27, 2018
@Borewit
Update dependencies.
8dffb8c 
Most important update is to exclude hoek@4.2.0.
Related issue: #9
@Borewit Borewit closed this as completed Apr 27, 2018
Borewit added a commit to Borewit/music-metadata that referenced this issue Apr 27, 2018
@Borewit
Most important update is to exclude hoek@4.2.0.
8a50468 
Related issue: Borewit/strtok3#9
Borewit added a commit to Borewit/music-metadata that referenced this issue Apr 27, 2018
@Borewit
Update strtok3, to ensure to exclude hoek vulnerability: Borewit/strt…
12372a9 
…ok3#9
Borewit added a commit that referenced this issue Apr 29, 2018
@Borewit
Removed explicit requirement for hoek version 4.2.1,
1167713 
it's already taking that safe version.
Ref: #9.
Update dependencies of strtok3 & token-types
Borewit added a commit that referenced this issue Apr 29, 2018
@Borewit
Version number to 1.4.2
371aafe 
#9: Update dependencies.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Security related issue, like a vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Borewit