Dependencies report security vulnerabilities

[srayner]

npm audit reports security vulnerabilities in one of the dependencies...

Moderate: Prototype pollution
Package: hoek
Patched in: > 4.2.0 < 5.0.0 || >= 5.0.3

Sorry can't help further.

[Didel]

I dug into this issue, as it occurred when I created a fresh package.json and added node-sass-chokidar as the first and only dependency. Indeed, this security vulnerability showed up (4 times). However, as it appears, this is not a direct problem with node-sass-chokidar itself, because hoek is not a direct dependency of node-sass-chokidar.

One important detail of the NPM audit log you didn't specify is the actual path of the dependency:
Path: node-sass-chokidar > node-sass > node-gyp > request > hawk > sntp > hoek

The actual problem lies within the node-gyp module, which has a dependency to an older version of the request module, which still has a dependency on a module that requires the old and 'vulnerable' version of 'hoek'. The problem is, as long as the the Pull Request 1492 (nodejs/node-gyp#1492) in the Node Gyp module isn't merged and a newer version of the node-gyp module isn't released, this will be the bottleneck of the old hoek module being used. All the 'underlying' modules have already released newer versions in which the security warning is addressed.

Bottom line: node-sass-chokidar is not to blame, and all we can do is wait for a newer version of node-gyp (that is, newer than v3.7.0) to be released, which should fix the problem.

[Didel]

Update: This issue is resolved with the release of node-gyp v3.8.0.

Running npm audit fix should result in an updated package.lock file that updates node-gyp to the newest version.