Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hoek node module vulnerability #407

Closed
econnally opened this issue Apr 27, 2018 · 4 comments
Closed

hoek node module vulnerability #407

econnally opened this issue Apr 27, 2018 · 4 comments

Comments

@econnally
Copy link

FYI the hoek node module is popping up on our dependency graph with this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-3728
@dpvc
Copy link
Member

dpvc commented May 4, 2018

MathJax-node has jsdom as a dependency, and that in turn has request as a dependency, which requires hawk which uses hoek. It looks like hawk has updated their version of hoek, but that request is using an old version of hawk. Unfortunately, we can't fix those dependencies from our end (at least I don't see how). The maintainers of request would need to update their dependency to include a higher version of hawk.

@econnally
Copy link
Author

FWIW sounds like a false positive by github: request/request#2926 (comment)

@dpvc
Copy link
Member

dpvc commented May 4, 2018

Thanks for the pointers to the issue. Glad to see that it is not really a vulnerability!

@JessicaSachs
Copy link

Here's Github's response. TL;DR: they've gone through and deleted the bad alerts, and promised to be better about validating if security vulnerabilities are legit before putting alerts out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@econnally @dpvc @JessicaSachs