Status-react: Security vulnerability in hapijs / hoek 4.2.1 (package-lock.json)
Problem
Security vulnerability in hapijs / hoek 4.2.1 (package-lock.json) https://nvd.nist.gov/vuln/detail/CVE-2018-3728
Solution
Either upgrade or remove/replace this dependency.
Suggestion for approach (optional): fork realm, upgrade dependency to switch to the latest version of node-pre-gyp. If it works, Status can use this fork in our org.
Acceptance criteria
No more GH vulnerability alert.
oskarth
All 16 comments
Should be enough to bump to hoek ~> 5.0.3 but would need to test and make sure nothing else breaks with this change.
oskarth
on 27 Apr 2018
I am getting the same problem on many personal repos
joshuawootonn
on 27 Apr 2018
I don't think it is just a small bounty, I can dig further but realm is pinning node-pre-gyp version as you can see here https://github.com/realm/realm-js/blob/master/package.json#L87 and this is this version of node-pre-gyp that is using hawk which has hoek as a dependency.
Latest version of node-pre-gyp doesn't have this dependency.
So to solve this issue the two solutions I see so far are:
- getting realm to switch to the latest version of node-pre-gyp
- getting rid of realm
The first one might take quite some time, the second quite some effort.
yenda
on 27 Apr 2018
@yenda Cheers, do you want to change it to something more appropriate? L maybe? Maybe we (or bounty person) can fork realm and try first option first.
oskarth
on 27 Apr 2018
why are you using node-pre-gyp? Just remove it.
debragail
on 1 May 2018
https://github.com/mapbox/node-pre-gyp/wiki/Modules-using-node-pre-gyp
GitHub
node-pre-gyp - Node.js tool for easy binary deployment of C++ addons
debragail
on 1 May 2018
I see that realm uses it but i think it's because it's using the https://github.com/mapbox/node-sqlite3 ... i'd get rid of realm.
node-sqlite3 - Asynchronous, non-blocking SQLite3 bindings for Node.js
debragail
on 1 May 2018
cc @oskarth @yenda looks like this has also been addressed by the maintainers. this thread may be worth monitoring: https://github.com/request/request/issues/2926#issuecomment-385087487
rcullito
on 1 May 2018
debragail
on 25 May 2018
Did you get an error with the new testflight build?
debragail
on 2 Jun 2018
Have a same issue here. I tried manually changing hoek versions in package-lock.json and then commit to github, the vulnerability issue in github disappears but If I clone it back and do npm install, the versions get changed to 2.16.3 from 4.2.1. Can someone let me know which package in package.json is dependent on hoek, which is probably causing this.
Thanks!
sriharigr
on 4 Jun 2018
This has gone stale, let's try and get this resolved.
@sriharigr here is the entire dependency tree:
corpetty
on 10 Aug 2018
@corpetty I created an issue on realm issue tracker https://github.com/realm/realm-js/issues/1956. In case they don't answer we'll have to fork it but it is a tricky package to build.
yenda
on 12 Aug 2018
@corpetty realm-js will release Thursday or Friday this week a version that doesn't include this library so I'll publish a PR then.
yenda
on 13 Aug 2018
Thank you @yenda for looking into this.
corpetty
on 14 Aug 2018
@corpetty I think we can close this one ?
yenda
on 18 Sep 2018
Related issues
annadanchenko
路
3Comments
alwx
路
4Comments
oskarth
路
4Comments
lukaszfryc
路
3Comments
andmironov
路
3Comments
Most helpful comment
I am getting the same problem on many personal repos