Angular-cli: Security: Upgrade boom and hawk to fix hoek
Versions
v1.7.4
Repro steps
CLI currently uses old Boom and Hawk dependencies, which loads an old version of Hoek which is vulnerable.
Desired behavior
Upgrade to latest Boom and Hawk.
JamesJansson
All 24 comments
Is there a temporary workaround for this? any way for a library that depends on CLI to protect itself from this vulnerability?
literalpie
on 27 Apr 2018
@literalpie we don't use it, directly or indirectly. NPM isn't smart enough to know this, so shows the vulnerability. For now it's simply a warning. We're working on it.
hansl
on 27 Apr 2018
Is this fixed yet ?
spmsupun
on 7 May 2018
It has been fixed in this commit https://github.com/angular/devkit/commit/c827938d313b6ad2e8a28092acd11bc16dd8fb1e
So it's fixed only in v6.0.1 of devkit which corresponds to the v6.0.1 of "@angular/cli".
To have this issue fixed, you need to update "@angular/cli" to the v6.0.1. This means you'll have to update Angular to the v6.
@hansl I would also make this change (cherry-pick?) https://github.com/angular/devkit/commit/c827938d313b6ad2e8a28092acd11bc16dd8fb1e
in the earlier version of devkit (0.3.x) so that this bug is fixed in the older version of angular-cli (1.7.x) and people don't need to update everything to v6.0.1.
affilnost
on 16 May 2018
I know it's not strictly an angular-cli problem but is it possible to make an Angular 6 app without pulling in the vulnerable hoek? angular-devkit/build-angular 0.6.1 still depends on node-sass 4.9.0 which pulls the old hoek version in.
ration
on 16 May 2018
@ration The workaround for this (if you don't want to update Angular to v6) is to add this to your devDependencies in package.json:
"chokidar": "^2.0.3",
"less": "^3.0.2"
and check that you have there:
"karma": "~1.7.1",
or higer version.
And then remove node_modules to be sure and run:
npm install
As a result you'll have Hoek v4.2.1 (not vulnerable) installed.
affilnost
on 16 May 2018
@affilnost putting chokidar and less into the devDeps along with updating karma didn't work for me :/
dimeloper
on 16 May 2018
Potential regression - vulnerable lib still installed with @angular/cli@^6.0.3 running ng new-app
adambkaplan
on 25 May 2018
In my case this commit solved the problem (update to Angular v6) https://github.com/affilnost/ngx-chartist/commit/bfb6cffff7495ec939269fb50133eb3896a135e2
I removed then node_modules and run npm install and it helped.
Now I have "hoek": "4.2.1".
Maybe it helps someone..
affilnost
on 25 May 2018
Upgrade boom and hawk to fix hoek : Was it fixed ?
Vishvang
on 8 Jun 2018
I'm seeing the same as @adambkaplan.
> rm -rf node_modules/
> rm package-lock.json
> npm install
...
>npm ls hoek
โโโฌ @angular-devkit/[email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โ โโโ [email protected] deduped
โโโ [email protected]
โโโฌ [email protected]
โโโ [email protected] deduped
This regression was reported 20 days ago. Is there any movement on this? Are maintainers aware of the regression?
acoard
on 13 Jun 2018
@hansl please reopen
adambkaplan
on 13 Jun 2018
AFAIK node-sass was never fixed, so this was also never fixed.
> ng --version
Angular CLI: 6.0.8
> ng new my-dream-app
> cd my-dream-app
> npm install
> npm ls hoek
[email protected] C:\git\my-dream-app
`-- @angular-devkit/[email protected]
`-- [email protected]
`-- [email protected]
`-- [email protected]
+-- [email protected]
| `-- [email protected] deduped
+-- [email protected]
`-- [email protected]
`-- [email protected] deduped
If I understand this https://github.com/sass/node-sass/issues/2252 correctly it also wont be fixed?
ration
on 14 Jun 2018
GitHub's automated vulnerability checking is now finding and reporting this, both by email and on the repository page. Please reopen.
Goluxas
on 14 Jun 2018
@ration I see them working on it for v5: https://github.com/sass/node-sass/issues/2355
ghost
on 19 Jun 2018
npm i hoek worked for me.
ganeshsundaram39
on 28 Jun 2018
anyone solve this warning or just ignore it?
ariawanzero
on 30 Jul 2018
This is fixed in [email protected]. Could Sass be upgraded?
kayvanbree
on 31 Jul 2018
I don't know if this is a workaround or a rug to sweep it under, but if you git rm package-lock.json & install dependencies with yarn install instead GitHub doesn't seem to throw this warning.
yeti-detective
on 1 Aug 2018
This seems to fix it:
npm install [email protected]
kmturley
on 7 Aug 2018
I'm still getting the vulnerable version of hoek with angular-cli 6.2.3 even after doing git rm package-lock.json and npm install:
`-- @angular/[email protected]
`-- @schematics/[email protected]
`-- [email protected]
`-- [email protected]
`-- [email protected]
+-- [email protected]
| `-- [email protected] deduped
+-- [email protected]
`-- [email protected]
`-- [email protected] deduped
BasPaap
on 26 Sep 2018
Can this issue be reopened? Looks like this still an issue
rejoydominic1
on 27 Sep 2018
I'm getting the same issue despite trying to update and install the package manually.
remyce
on 10 Oct 2018
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
Read more about our automatic conversation locking policy.
_This action has been performed automatically by a bot._
![angular-automatic-lock-bot[bot] picture](https://avatars0.githubusercontent.com/in/40213?v=4&s=40)
angular-automatic-lock-bot[bot]
on 8 Sep 2019
Related issues
NCC1701M
ยท
3Comments
naveedahmed1
ยท
3Comments
rwillmer
ยท
3Comments
jmurphzyo
ยท
3Comments
purushottamjha
ยท
3Comments
Most helpful comment
Potential regression - vulnerable lib still installed with
@angular/cli@^6.0.3runningng new-app