-
Notifications
You must be signed in to change notification settings - Fork 27.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vscode NPM module: Vulnerability alert for hoek < 5.0.3 #48783
Comments
I've seen the same alert from GitHub on all my extensions. |
Same for me with several of my stuff- ideas on how to correct the issue? |
I am having the same exact issue. A google search led me here. Any solutions thus far? |
ditto! 😮 |
Same here. |
Same!! What do |
Same here. Please how do i resolve this? |
How does one update |
Same! |
@dadlerj updating your NPM modules should automatically sync the |
@damianperera even after running npm update my hoek version is at 4.2.0 even after removing the package-lock.json file, running |
@JamesSingleton if |
Same for me. |
Hmm I wonder what else could be using it other than what is installed for the project... I have 5 projects with this notification. Thankfully they are older projects, but would like to get it updated. |
This depends on request/request#2926 which we depend on. |
Instead of updating I tried: |
+1 |
I took @charmeem idea a step further and it doesn't seem to have impacted anything. So I did Once again, I am not sure of the impact on this as I was still able to run my code and everything like that. I just mainly wanted to stop the notifications from GitHub on my older projects. |
I followed @JamesSingleton steps and its worked for me, now github marks the vulnerability in my repo as resolved |
@TizioFittizio just keep in mind that it removes hoek from your package-lock.json. However, some other stuff will have it as a dependency for later version... I think I saw one that had a dependency of hoek 2.2. But like I said, I'm not entirely sure what it's used for as my app was still able to run just fine. |
I also followed the @JamesSingleton steps. |
Moving into microsoft/vscode-extension-vscode#106 where it belongs. |
worked for me with @JamesSingleton 's solution (npm i hoek, npm uninstall hoek, npm update, npm install). Thanks! |
I followed @JamesSingleton steps and worked for me, thanks!! |
Another alternative way is to use |
Dependency (Hapijs / Hoek, currently v2.16.3) Security Issue / Fix: hoek node module before 5.0.3 or 4.2.1 suffers from a Modification of Assumed-Immutable Data (MAID) microsoft/vscode#48783 https://nvd.nist.gov/vuln/detail/CVE-2018-3728
Thanks @JamesSingleton really appreciate it! Followed the steps and it worked. |
Steps to Reproduce:
Does this issue occur when all extensions are disabled?: Yes (N/A)
CVE-2018-3728
I'm not sure if this can be solved without third-party buy-in from the following (
npm ls hoek
):My plugin paste-escaped shows the github report
It is likely vscode itself has not been notified due to the use of yarn vs npm thus a different lockfile format.
The text was updated successfully, but these errors were encountered: