-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability: hoek (CVE-2018-3728) #6080
Comments
Since Jest (and JSDOM) is only used in tests, this doesn't really impact us. I'm fine with it being open, if nothing else to discourage more issues, though |
I agree, jest is not really affected by the security issue. Only github users by the securtiy checks 🙈 |
newbie question, but why not just updating the package
this github warning about vulnerabilities in |
This is not an issue with Jest. We can keep this issue open for visibility, but it is not actionable for us. |
Update: request/request#2926 (comment)
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Bug / Security vulnerability
jest-environment-jsdom
has a dependency tojsdom
which is dependant onrequest
which is dependant onhawk
which is dependant onhoek
in the version4.2.1
. As described in CVE-2018-3728 there is a security problem before version5.0.3
ofhoek
.hawk
in version7.X
useshoek
in5.X
,request
needs to be updated to usehawk
in version7.X
instead of~6.0.2
. Asjsdom
does not pin it's dependencies,jest-environment-jsdom
should get the update automatically after the issue is resolved, so no action required, as I understand it.Associated issues
request
updatinghawk
: first issue & second issueI hope it's okay that I leave this ticket here for others who got notified about this vulnerability. Will close it once there is a way to update
hoek
by reinstalling the dependencies.The text was updated successfully, but these errors were encountered: