Github sent me the message:
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.
When I click on the details it say:

When I looked at what package is dependent on hoek I found this.
# npm ls hoek
/code
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โ โโโ [email protected] deduped
โโโ [email protected]
โโโฌ [email protected]
โโโ [email protected] deduped
Confirmed.
Seemingly, node-sass is waiting for the v5 release to fix this: sass/node-sass#2288
Confirmed as well.
@justlevine this is also an issue @ node-sass repo, but with all the other tickets consolidated:
https://github.com/sass/node-sass/issues/2355
Is there a way to update this manually?
@dlmanning any updates? We're happy to help.
Waiting for an update on this too
While we're all waiting for node-sass@v5, you could temporarily fix this issue by requiring a specific node-sass version from GitHub: https://github.com/sass/node-sass/issues/2355#issuecomment-400324540
"node-sass": "git+https://github.com/sass/node-sass.git#v4.7.0"
The solution to this issue is to change the version manually in your package-lock.json.
Change your version manually from 2.16.3 to 4.2.1
"hoek": {
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true
Then update your project on GitHub(commit/push)
Just make sure every hoek version in your package-lock.json version is changed to 4.2.1
@RileyManda solution solved it for me.Thanks.
here is the NVD issue
it says:
hoek versions up to (excluding) 4.2.0
and versions from (including) 5.0.0 up to (excluding) 5.0.3
are affected by the vulnerability.
apart from the annoyance, is there any troubling exploit?
No.
node-sass released v4.9.1 to fix this issue earlier today: https://github.com/sass/node-sass/issues/2355#issuecomment-402674792. It looks like existing versions of gulp-sass will pull in this version and the fix automatically now.
npm update node-sass@latest --save
@xzyfer,
It looks like this is still an issue, at least for me. I have "gulp-sass": "^4.0.1" in my package.json file and when I run npm i to update my package-lock.json file, I get some vulnerability warnings. When I run npm audit I get 4 warnings like the following.

@xzyfer,
Also, here is a docker session to prove this is still an issue:
$ docker run -it node:9.11.2-alpine /bin/sh
/ # mkdir code
/ # cd code/
/code # npm init
...
/code # npm install gulp-sass --save-dev
npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://nodesecurity.io/advisories?search=hoek&version=2.16.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
> [email protected] install /code/node_modules/node-sass
> node scripts/install.js
Downloading binary from https://github.com/sass/node-sass/releases/download/v4.9.1/linux_musl-x64-59_binding.node
Download complete .] - :
Binary saved to /code/node_modules/node-sass/vendor/linux_musl-x64-59/binding.node
Caching binary to /root/.npm/node-sass/4.9.1/linux_musl-x64-59_binding.node
> [email protected] postinstall /code/node_modules/node-sass
> node scripts/build.js
Binary found at /code/node_modules/node-sass/vendor/linux_musl-x64-59/binding.node
Testing binary
Binary is fine
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] No description
npm WARN [email protected] No repository field.
+ [email protected]
added 227 packages in 13.239s
/code # npm list node-sass
[email protected] /code
`-- [email protected]
`-- [email protected]
/code # cat package-lock.json | grep node-sass
"node-sass": "4.9.1",
"node-sass": {
"resolved": "https://registry.npmjs.org/node-sass/-/node-sass-4.9.1.tgz",
/code # npm install -g npm@latest
/code # npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass [dev]
Path gulp-sass > node-sass > node-gyp > request > hawk > boom >
hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass [dev]
Path gulp-sass > node-sass > node-gyp > request > hawk >
cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass [dev]
Path gulp-sass > node-sass > node-gyp > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass [dev]
Path gulp-sass > node-sass > node-gyp > request > hawk > sntp >
hoek
More info https://nodesecurity.io/advisories/566
found 4 moderate severity vulnerabilities in 566 scanned packages
4 vulnerabilities require manual review. See the full report for details.
@epicserve this is a different issue. See https://github.com/nodejs/node-gyp/pull/1471
npm update node-sass@latest --save This also does nothing for me, with version of gulp "gulp-sass": "^4.0.1",
@RileyManda how does your solution work. I update my package-lock.json, removed my node_modules, then ran npm i and it overwrote my changes in my lock file.
This is unavoidable for at the moment. We need node-gyp to bump their request dependency.
Redirect your enthusiasm @ https://github.com/nodejs/node-gyp/pull/1492
@magbicaleman I simply opened my package-lock.json,then find "hoek"(command F + hoek)in your ide,then replace the current version of all "hoek":"current version" appearance from the current version thats giving you vulnerability issues to:"hoek": "4.2.1".This is what my current package-lock.json file looks like after updating all hoek versions from old version/preinstalled version to 4.2.1:
"boom": {
"version": "2.10.1",
"resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
"integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
"dev": true,
"requires": {
"hoek": "4.2.1"
}
},
"hawk": {
"version": "3.1.3",
"resolved": "https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz",
"integrity": "sha1-B4REvXwWQLD+VA0sm3PVlnjo4cQ=",
"dev": true,
"requires": {
"boom": "2.x.x",
"cryptiles": "2.x.x",
"hoek": "4.2.1",
"sntp": "1.x.x"
}
},
"hoek": {
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true
},
"sntp": {
"version": "1.0.9",
"resolved": "https://registry.npmjs.org/sntp/-/sntp-1.0.9.tgz",
"integrity": "sha1-ZUEYTMkK7qbG57NeJlkIJEPGYZg=",
"dev": true,
"requires": {
"hoek": "4.2.1",
}
},
"boom": {
"version": "2.10.1",
"resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
"integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
"dev": true,
"requires": {
"hoek": "4.2.1"
}
},
I have only pasted the code snippets for all the hoek occurrences.
I changed the hoek version manually and the vulnerability issue was resolved.
any update guys ?
Most helpful comment
The solution to this issue is to change the version manually in your package-lock.json.
Change your version manually from 2.16.3 to 4.2.1
"hoek": { "version": "4.2.1", "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz", "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=", "dev": trueThen update your project on GitHub(commit/push)
Just make sure every hoek version in your package-lock.json version is changed to 4.2.1