Vulnerability issues with a sub dependency

[ooade]

Here is a screenshot of the issue made by GitHub:

Tracing the graph, I have this:

└─┬ twit@2.2.9
  └─┬ request@2.85.0
    └─┬ hawk@6.0.2
      ├─┬ boom@4.3.1
      │ └── hoek@4.2.1  deduped
      ├─┬ cryptiles@3.1.2
      │ └─┬ boom@5.2.0
      │   └── hoek@4.2.1  deduped
      ├── hoek@4.2.1 
      └─┬ sntp@2.1.0
        └── hoek@4.2.1  deduped

Updating the request package might fix this 🤷‍♂️

[Ilshidur]

There is also a vulnerability in twit@2.2.9 › request@2.85.0 › stringstream@0.0.5 according to Snyk.

EDIT : Opened a issue : mhart/StringStream#7

[ChALkeR]

request/request#2885 with request#81f8cb57bbc landed and a new request version got released, so this can be closed now, I think.

[ttezel]

Hmm according to snyk, there are currently no known vulnerabilities in the twit dependency graph: https://snyk.io/test/npm/twit

[ttezel]

@Ilshidur and @ChALkeR all good to close this?

[Ilshidur]

@ttezel Yes I believe this issue can be closed now.

[ChALkeR]

@ooade That was probably an issue in your package-lock file, it freezes nested deps.
Just updating, deleting, or rebuilding it should fix the issue.