fix(sphere-stock-import): Security vulnerability detected in hoek

[Babanila]

Summary

Security vulnerability detected in hoek

Description

Known moderate severity security vulnerability detected in hoek < 4.2.1 defined in package-lock.json.

Closes #76

[daern91]

I dont think this should be part of this PR

[butenkor]

Also please do not swallow original error objects as they contain a lot of valuable informations. See my comment here

[butenkor]

We need here both the original error with its stack trace as also its context/custom message regarding amount of retries.

[daern91]

@butenkor @junajan so apparently library hoek had some issues which some of our dependencies depended on. Im not sure if upgrading and installing the dependencies like this is the way to solve it or if there is a better way. Do you have any ideas and thoughts?

Message below:

Known moderate severity security vulnerability detected in hoek < 4.2.1defined in package-lock.json.
--
package-lock.json update suggested: hoek ~> 4.2.1.

[lojzatran]

Hi @Babanila changing dependencies in package.json won't change nested dependencies. You need to do it like this: https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions

[LEQADA]

When you add hoek as a dependency to your project npm will still download the vulnerable version too because it is used by some other dependencies.
We can force npm to use the version we want as @lojzatran says but this is mostly what we avoid to do.
The right way is to update dependencies. If there is no fix for some dependency - check is the library still alive or not. If it's alive - maybe create a PR for that library (we live in an open source world and using it benefits). If the library is dead (no one updates it) then maybe we should replace it with something else.
In this case I can see that the highest vulnerable library in dependency chain is request library (request > hawk > boom > hoek).
The latest version of request library doesn't use hawk. It means there is no hoek dependency at all.
So maybe we can just update the request library in our dependencies?

[LEQADA]

All you need to update in this file in order to get rid of hoek vulnerability is in this patch:

diff --git a/package.json b/package.json
index 83ebba7..baf4ac1 100644
--- a/package.json
+++ b/package.json
@@ -46,7 +46,7 @@
     "csv": "^1.1.0",
     "debug": "^2.2.0",
     "optimist": "^0.6.1",
-    "sphere-node-sdk": "^1.22.0",
+    "sphere-node-sdk": "^2.0.0",
     "sphere-node-utils": "^0.9.1",
     "tmp": "0.0.33",
     "underscore": "^1.8.3",
@@ -54,7 +54,7 @@
   },
   "devDependencies": {
     "coffee-script": "^1.12.7",
-    "coveralls": "2.11.2",
+    "coveralls": "2.13.2",
     "grunt": "0.4.5",
     "grunt-bump": "0.0.13",
     "grunt-cli": "0.1.13",

[LEQADA]

everything else should be reverted since they are not related to the issue context

[LEQADA]

But IMO, we should close this PR and start a new one which fixes all 48 vulnerabilities in this library

[daern91]

@Babanila and @LEQADA is it really needed to add hoek as a dependency here? As far as I understood @LEQADA's comment we just needed to update request and possibly coveralls and sphere-node-sdk?

[LEQADA]

No, it's not needed. As well as adding request package as a dependency.
And as I previously said it looks redundant to me to create a PR for each 48 vulnerabilities.