Security vulnerability in hapijs / hoek 4.2.1 (package-lock.json)

[oskarth]

Problem

Security vulnerability in hapijs / hoek 4.2.1 (package-lock.json) https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Solution

Either upgrade or remove/replace this dependency.

Suggestion for approach (optional): fork realm, upgrade dependency to switch to the latest version of node-pre-gyp. If it works, Status can use this fork in our org.

Acceptance criteria

No more GH vulnerability alert.

NVD - CVE-2018-3728

[oskarth]

Should be enough to bump to hoek ~> 5.0.3 but would need to test and make sure nothing else breaks with this change.

[joshuawootonn]

I am getting the same problem on many personal repos

[yenda]

I don't think it is just a small bounty, I can dig further but realm is pinning node-pre-gyp version as you can see here https://github.com/realm/realm-js/blob/master/package.json#L87 and this is this version of node-pre-gyp that is using hawk which has hoek as a dependency.
Latest version of node-pre-gyp doesn't have this dependency.

So to solve this issue the two solutions I see so far are:

• getting realm to switch to the latest version of node-pre-gyp
• getting rid of realm

The first one might take quite some time, the second quite some effort.

[oskarth]

@yenda Cheers, do you want to change it to something more appropriate? L maybe? Maybe we (or bounty person) can fork realm and try first option first.

[debragail]

why are you using node-pre-gyp? Just remove it.

[debragail]

https://github.com/mapbox/node-pre-gyp/wiki/Modules-using-node-pre-gyp

GitHub

mapbox/node-pre-gyp

node-pre-gyp - Node.js tool for easy binary deployment of C++ addons

[debragail]

I see that realm uses it but i think it's because it's using the https://github.com/mapbox/node-sqlite3 ... i'd get rid of realm.

GitHub

mapbox/node-sqlite3

node-sqlite3 - Asynchronous, non-blocking SQLite3 bindings for Node.js

[rcullito]

cc @oskarth @yenda looks like this has also been addressed by the maintainers. this thread may be worth monitoring: request/request#2926 (comment)

[debragail]

[debragail]

Did you get an error with the new testflight build?

[sriharigr]

Have a same issue here. I tried manually changing hoek versions in package-lock.json and then commit to github, the vulnerability issue in github disappears but If I clone it back and do npm install, the versions get changed to 2.16.3 from 4.2.1. Can someone let me know which package in package.json is dependent on hoek, which is probably causing this.

Thanks!

[corpetty]

This has gone stale, let's try and get this resolved.

@sriharigr here is the entire dependency tree:

[yenda]

@corpetty I created an issue on realm issue tracker realm/realm-js#1956. In case they don't answer we'll have to fork it but it is a tricky package to build.

[yenda]

@corpetty realm-js will release Thursday or Friday this week a version that doesn't include this library so I'll publish a PR then.

[corpetty]

Thank you @yenda for looking into this.

[yenda]

@corpetty I think we can close this one ?