Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability: hoek should be updated to 5.0.3 #211

Closed
sbrl opened this issue Apr 27, 2018 · 3 comments
Closed

Vulnerability: hoek should be updated to 5.0.3 #211

sbrl opened this issue Apr 27, 2018 · 3 comments
Labels
bug

Comments

@sbrl
Copy link
Member

sbrl commented Apr 27, 2018

The package hoek is specified in the package-lock.json file at version 4.2.0. When I run npm-remote-ls hoek though, it tells me that version 5.0.3 will suffice. I suggest updating it to mitigate the vulnerability that GitHub has identified.

Here's the reverse-dependency tree generated by npm-remote-ls: https://hastebin.com/enirizinan
@sbrl sbrl added the bug label Apr 27, 2018
@agnivade
Copy link
Member

npm update updates it to 4.2.1. Because it is a transitive dependency, I don't know if manually editing package-lock.json is a good idea.

agnivade added a commit that referenced this issue Apr 27, 2018
@agnivade
[Update]: package-lock.json dependencies
cc4f917 
Fixes #211
@agnivade agnivade mentioned this issue Apr 27, 2018
Merged
@sbrl
Copy link
Member Author

sbrl commented Apr 28, 2018

Hrm true. What I ended up doing for another of my projects is deleting package-lock.json, and using node-check-updates like so:

ncu -u -n -a
npm install

That updated everything to the very latest stable version available. Not sure if it's wise here, but it did the trick for me :P

@vladimyr
Copy link
Collaborator

I don't know if manually editing package-lock.json is a good idea.

According to my experience that is a bad idea and should be avoided if possible.

Hrm true. What I ended up doing for another of my projects is deleting package-lock.json, and using node-check-updates

I haven't used ncu in a while but as far as I remember it alters package.json only. Subsequent npm install will respect changes and update package-lock.json accordingly so you don't need to delete it manually and wait for it to get re- generated. 😉

Keeping packages green is typically a good idea but it is also a risky business by definition. If you do it manually try npm-check. It has nice interactive mode and it will warn you about potentially breaking updates.
Mitigating vulnerabilities is another story and it should be done (semi-)automatically relying on 3rd party service to keep track of affected dependencies and bumping those.

Naturally there are dedicated bots providing both services:

  1. keeping stuff green: https://greenkeeper.io/ or https://renovatebot.com/
  2. keeping stuff safe: https://snyk.io/

All 3 are free for OSS so maybe this is a chance to setup something to avoid future security issues. What do you think @agnivade ?

agnivade added a commit that referenced this issue Apr 29, 2018
@agnivade
[Update]: package-lock.json dependencies
07a3f99 
Fixes #211
agnivade added a commit that referenced this issue Apr 29, 2018
@agnivade
[Update]: package-lock.json dependencies
e1c25f8 
Fixes #211
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vladimyr @agnivade @sbrl