vscode NPM module: Vulnerability alert for hoek < 5.0.3
- VSCode Version:1.1.14
- OS Version:10.0.16299.0
Steps to Reproduce:
- Create a new plugin project referencing vscode
- Commit to github repo
- Receive vulnerability report from github due to github scanning package.json and package-lock.json indicating:
Known vulnerability found
CVE-2018-3728
Moderate severity
hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' ...
package-lock.json update suggested:
hoek ~> 5.0.3
Always verify the validity and compatibility of suggestions with your codebase.
Does this issue occur when all extensions are disabled?: Yes (N/A)
I'm not sure if this can be solved without third-party buy-in from the following (npm ls hoek):
`-- [email protected]
+-- [email protected]
| `-- [email protected]
| `-- [email protected]
| +-- [email protected]
| | `-- [email protected]
| +-- [email protected]
| `-- [email protected]
| `-- [email protected]
`-- [email protected]
`-- [email protected]
+-- [email protected]
| `-- [email protected]
+-- [email protected]
| `-- [email protected]
| `-- [email protected]
+-- [email protected]
`-- [email protected]
`-- [email protected] deduped
My plugin paste-escaped shows the github report
It is likely vscode itself has not been notified due to the use of yarn vs npm thus a different lockfile format.
gwicksted
All 26 comments
I've seen the same alert from GitHub on all my extensions.
eamodio
on 26 Apr 2018
Same for me with several of my stuff- ideas on how to correct the issue?
westonedwards
on 27 Apr 2018
I am having the same exact issue. A google search led me here. Any solutions thus far?
jsc215
on 27 Apr 2018
ditto! 馃槷
ICeZer0
on 27 Apr 2018
Same here.
justin-blankenship
on 27 Apr 2018
Same!! What do
nnguy152
on 27 Apr 2018
Same here. Please how do i resolve this?
papakay
on 27 Apr 2018
How does one update package-lock.json to the recommended version of hoek ~> 5.0.3?
danlauby
on 27 Apr 2018
Same!
EmmanuelOgbewe
on 27 Apr 2018
@dadlerj updating your NPM modules should automatically sync the package-lock.json file. Simply run npm update in your project root.
damianperera
on 27 Apr 2018
@damianperera even after running npm update my hoek version is at 4.2.0 even after removing the package-lock.json file, running npm update as well as npm install
JamesSingleton
on 27 Apr 2018
@JamesSingleton if hoek is being used by another module(s) that you installed via npm and not specifically by your project, you will need to wait until that module(s) is updated before issuing a npm update on your own project.
damianperera
on 27 Apr 2018
Same for me.
llighter
on 27 Apr 2018
Hmm I wonder what else could be using it other than what is installed for the project... I have 5 projects with this notification. Thankfully they are older projects, but would like to get it updated.
JamesSingleton
on 27 Apr 2018
This depends on https://github.com/request/request/issues/2926 which we depend on.
bpasero
on 27 Apr 2018
Instead of updating I tried:
npm i hoek
and it updated hoek to 5.0.3
charmeem
on 27 Apr 2018
+1
hunterlong
on 27 Apr 2018
I took @charmeem idea a step further and it doesn't seem to have impacted anything. So I did npm i hoek which then created a new dependency in my package.json that wasn't there before. After that, I did npm uninstall hoek, npm update for good measure and then I did npm install and now I don't have the warning message.
Once again, I am not sure of the impact on this as I was still able to run my code and everything like that. I just mainly wanted to stop the notifications from GitHub on my older projects.
JamesSingleton
on 27 Apr 2018
I followed @JamesSingleton steps and its worked for me, now github marks the vulnerability in my repo as resolved
TizioFittizio
on 27 Apr 2018
@TizioFittizio just keep in mind that it removes hoek from your package-lock.json. However, some other stuff will have it as a dependency for later version... I think I saw one that had a dependency of hoek 2.2. But like I said, I'm not entirely sure what it's used for as my app was still able to run just fine.
JamesSingleton
on 27 Apr 2018
I also followed the @JamesSingleton steps.
It's worked for me too.
llighter
on 27 Apr 2018
Moving into https://github.com/Microsoft/vscode-extension-vscode/issues/106 where it belongs.
bpasero
on 27 Apr 2018
worked for me with @JamesSingleton 's solution (npm i hoek, npm uninstall hoek, npm update, npm install). Thanks!
馃憤
sheldonfish
on 2 May 2018
I followed @JamesSingleton steps and worked for me, thanks!!
oscar-gomez
on 5 May 2018
Another alternative way is to use npm audit which will display all the vulnerable / out-dated dependencies in your package.json or package-lock.json and then you can simply follow the instructions shown along with the other information by the audit.
usmanaliqureshi
on 9 May 2018
Thanks @JamesSingleton really appreciate it! Followed the steps and it worked.
boompah
on 4 Jun 2018
Related issues
vsccarl
路
3Comments
DovydasNavickas
路
3Comments
ryan-wong
路
3Comments
trstringer
路
3Comments
borekb
路
3Comments
Most helpful comment
I took @charmeem idea a step further and it doesn't seem to have impacted anything. So I did
npm i hoekwhich then created a new dependency in my package.json that wasn't there before. After that, I didnpm uninstall hoek,npm updatefor good measure and then I didnpm installand now I don't have the warning message.Once again, I am not sure of the impact on this as I was still able to run my code and everything like that. I just mainly wanted to stop the notifications from GitHub on my older projects.