New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in hoek package #2926
Comments
I tried just bumping to hawk v7.0.7 earlier today but the test broke. I had to jump off to do something else but I only got as far as this faster way to run the test:
|
as far as i understand it, the issue is with a cve, https://nvd.nist.gov/vuln/detail/CVE-2018-3728, regarding
thus, it appears that the cve is incorrectly considering |
See here: #2891 (comment) |
To confirm the findings of dan-nl, both links from securityfocus and hackerone in the CVE state that it has been fixed
and it's confirmed by @nlf in hapijs/hoek#230 (comment)
|
@warpdesign you said
But how do I do that if I don't have hawk directly as a dependency?
which npm command? |
You can't. You have to wait until Request publishes a new version that uses Hawk 7. That's the problem. |
Can confirm, I've had 6 repos flagged by github for having the hoek vulnerability because of the request library. |
@jfoclpf I guess it should be possible to temporary fix the problem by publishing forks with an updated version. But you don't want to go this road. Better wait for an official resolution (which shouldn't be long to come this the vce state just needs to be updated for |
According to what I have been told from other packages, it's a false positive from github. There is no vulnerability in that version of |
The Node.js 4.x release line is going end of life April 30th, compatibility with it should not be a concern after then. |
yes, hi 👋 hoek maintainer here. version 4.2.1 has been patched. github's alerts are currently wrong. i've submitted a request to correct the version range in the CVE and also harassed some kind folks at github to take care of things on their end. hopefully they'll stop reporting that version as vulnerable soon. |
!? |
|
How is this issue going now plz? |
@diamont1001 it's already fixed |
@Bjornskjald are u sure? request@2.85.0/1 -> hawk@6.0.2 -> hoek@4.x.x |
@diamont1001 hoek 4.2.1 has the bugfix backported |
@diamont1001 because if you weren't lazy enough to read the whole discussion, you would see it's a bug with GitHub and hoek maintainer already contacted them... |
@nlf Thanks for updating this thread earlier! Any response from Github yet? I'm considering pinging them as well... |
status update? |
@phillmv from @github staff has posted an explanation at hapijs/hoek#247 (comment):
|
Hi, I have read all the discussion but I am still having the issue. |
@NadGu plz check your package-lock.json file first. |
@diamont1001 done right now. The version of hoek is 4.2.1. What can I do to update it? |
hoek@4.2.1 is ok. |
@diamont1001 So let's wait! At least I did all that I could. Thank you! |
@nadgu Hi! Are you saying you have a repository on GitHub where we're still flagging a version of 4.2.1 as being vulnerable? That shouldn't be happening! Please email support@github.com with the repository link and mention @phillmv and we'll take it from there :). |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
There is a vulnerability in the
hoek
package which is required byhawk
that request depends on.Request depends on hawk version
~6.0.2
. Updating to hawk version7.0.0
would fix the problem.The text was updated successfully, but these errors were encountered: