Serverless-offline: dependeny "hapi" is outdated and triggers npm security warning

Created on 2 Nov 2018 · 11Comments · Source: dherault/serverless-offline

Looks like serverless-offline's dependecy hapi is out of date. Normally this wouldn't be a big deal but there's a new (as of today) security warning triggered by cryptiles, one of hapi's dependencies: https://www.npmjs.com/advisories/720. I don't know if this exposes an actual security issue (probably not because serverless-offline is only for local development!) but it's annoying to see those warnings.

The highest LTS version of hapi is 16.6.3, but I'm not sure if this version has the updated cryptiles. The latest hapi is 17.6.2 which does seem to have the updated . The version of hapi that's currently in serverless-offline is 14.2.0.

npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ serverless-offline > hapi > cryptiles                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ serverless-offline > hapi > iron > cryptiles                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ serverless-offline > hapi > statehood > cryptiles            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ serverless-offline > hapi > statehood > iron > cryptiles     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 high severity vulnerabilities in 44688 scanned packages
  4 vulnerabilities require manual review. See the full report for details.


> npm v hapi

[email protected] | BSD-3-Clause | deps: 17 | versions: 279
HTTP Server framework
https://hapijs.com

keywords: framework, http, api, web

dist
.tarball: https://registry.npmjs.org/hapi/-/hapi-17.6.2.tgz
.shasum: 67797e66ab7d2d58c43bdae7f1237f13f48481a9
.integrity: sha512-vvOfssoAmRVczKMVC0lyGtpB0bvgdHVnzRrMGe5A9jy0JVnj24Kplt+mFIOVHmPt7zsZgUiqpGzF1R4grOh/Yg==
.unpackedSize: 175.3 kB

dependencies:
accept: 3.x.x        bounce: 1.x.x        catbox: 10.x.x       joi: 14.x.x          shot: 4.x.x          teamwork: 3.x.x
ammo: 3.x.x          call: 5.x.x          heavy: 6.x.x         mimos: 4.x.x         statehood: 6.x.x     topo: 3.x.x
boom: 7.x.x          catbox-memory: 3.x.x hoek: 6.x.x          podium: 3.x.x        subtext: 6.x.x

maintainers:
- hueniverse <[email protected]>

dist-tags:
latest: 17.6.2    lts: 16.6.3       next: 17.0.1      override: 13.5.3

published an hour ago by hueniverse <[email protected]>

> npm v serverless-offline

[email protected] | MIT | deps: 13 | versions: 158
Emulate AWS λ and API Gateway locally when developing your Serverless project
https://github.com/dherault/serverless-offline

keywords: Serverless, Amazon Web Services, AWS, Lambda, API Gateway

dist
.tarball: https://registry.npmjs.org/serverless-offline/-/serverless-offline-3.31.0.tgz
.shasum: 0ee5885df968c4be415cf10d229370fd6cd5c908
.integrity: sha512-uGur1/LeQ8LkOl1U6RFDlfTUXAl08GeYRqqX1mjFjQQxh7Lol0JORyFQP3xfIWszCWjkdTPw79R4TPqVncMHtA==
.unpackedSize: 164.5 kB

dependencies:
@babel/core: ^7.0.0       cryptiles: ^4.1.2         hapi: 14.2.0              jsonwebtoken: ^8.3.0      velocityjs: ^1.1.2
@babel/register: ^7.0.0   h2o2: ^5.4.0              js-string-escape: ^1.0.1  lodash: ^4.17.10
boom: ^4.2.0              hapi-cors-headers: ^1.0.3 jsonpath-plus: ^0.16.0    uuid: ^3.3.2

maintainers:
- daniel-cottone <[email protected]>
- dherault <[email protected]>

dist-tags:
beta: 1.0.0-beta3  latest: 3.31.0

published yesterday by dherault <[email protected]>

help wanted

Source

justingrant

👍2

Most helpful comment

The state() has been modified in v3.32.2

dherault on 11 Jan 2019

👍2

All 11 comments

That's right, but it cannot be helped... We need hapi v14 because v15+ makes us lose a big feature (I forgot which...).

dherault on 2 Nov 2018

I just came to report the same thing. Does the feature needed have to do with the iron or statehood packages that hapi needs? They both have dependencies on cryptiles

mkiddTempus on 2 Nov 2018

@dherault - here's the breaking changes list from hapi V15 release notes. Is the missing feature one of these?

Breaking Changes

Replace node's built-in EventEmitter with podium.
Change default cookies to use the HttpOnly, Secure, and SameSite=Strict properties by default to any cookie set via the state() method.
Error when reply() is called with a third argument when not used in the authenticate() authentication strategy method.
Disable request.getLog() by default, prevent memory allocation when the request logs are not needed.
Force server.register() to always return the callback after the next tick.
Override route validation rules when defined at the route level. The last configuration is the only one used for each route, ignoring any connection or server level defaults.
Error when reply.continue() is called with an argument when not used in the authenticate() authentication strategy method unless called in extension methods after the handler is called.

justingrant on 5 Nov 2018

Any progress on this? Curious as there were 3 releases since this was reported.

mkiddTempus on 15 Nov 2018

Nope, a PR is on its way but nobody is working on it... It's a tedious job that I cannot do at the moment, so I'm relying on the community to do it.

dherault on 16 Nov 2018

I have a WIP PR nearly finished up that I started on this weekend - hopefully, I'll be able to get it finished within the next few days and get it submitted for review. You can take a look at the progress (if you're curious) here -> dhm116/serverless-offline/tree/upgrade-hapi-v17

dhm116 on 17 Dec 2018

Sorry this took so long! I got side-tracked with another pet project once I hit some roadblocks related to the Velocity templates, but I think coming back with fresh eyes helped me finish this up rather quickly.

I hope this helps!

dhm116 on 2 Jan 2019

fixed ! :+1:

dherault on 8 Jan 2019

in v3.32.0

dherault on 8 Jan 2019

@dherault I don't see this fixed in v3.32.1:
https://github.com/dherault/serverless-offline/blob/v3.32.1/src/index.js#L326

Maybe you need to do another release?