-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability in hapijs / hoek 4.2.1 (package-lock.json) #4031
Comments
Should be enough to bump to |
I am getting the same problem on many personal repos |
I don't think it is just a small bounty, I can dig further but realm is pinning So to solve this issue the two solutions I see so far are:
The first one might take quite some time, the second quite some effort. |
@yenda Cheers, do you want to change it to something more appropriate? L maybe? Maybe we (or bounty person) can fork realm and try first option first. |
why are you using node-pre-gyp? Just remove it. |
https://github.com/mapbox/node-pre-gyp/wiki/Modules-using-node-pre-gyp
|
I see that realm uses it but i think it's because it's using the https://github.com/mapbox/node-sqlite3 ... i'd get rid of realm.
|
cc @oskarth @yenda looks like this has also been addressed by the maintainers. this thread may be worth monitoring: request/request#2926 (comment) |
Did you get an error with the new testflight build? |
Have a same issue here. I tried manually changing hoek versions in package-lock.json and then commit to github, the vulnerability issue in github disappears but If I clone it back and do npm install, the versions get changed to 2.16.3 from 4.2.1. Can someone let me know which package in package.json is dependent on hoek, which is probably causing this. Thanks! |
This has gone stale, let's try and get this resolved. @sriharigr here is the entire dependency tree: |
@corpetty I created an issue on realm issue tracker realm/realm-js#1956. In case they don't answer we'll have to fork it but it is a tricky package to build. |
@corpetty realm-js will release Thursday or Friday this week a version that doesn't include this library so I'll publish a PR then. |
Thank you @yenda for looking into this. |
@corpetty I think we can close this one ? |
Problem
Security vulnerability in hapijs / hoek 4.2.1 (package-lock.json) https://nvd.nist.gov/vuln/detail/CVE-2018-3728
Solution
Either upgrade or remove/replace this dependency.
Suggestion for approach (optional): fork realm, upgrade dependency to switch to the latest version of node-pre-gyp. If it works, Status can use this fork in our org.
Acceptance criteria
No more GH vulnerability alert.
The text was updated successfully, but these errors were encountered: