Vulnerability in Hoek dependency from npm audit

Question

Vulnerability in Hoek dependency from npm audit

TmNguyen12 opened this issue 6 years ago · comments

Current dependency is hoek 2.16.3. It's patched in version 5.0.3. Can we update this version of hoek int the dependency?

Thanks!

Aladdin Sonni · Answer 1 · Tue May 29 2018 20:55:39 GMT+0800 (China Standard Time)

As well as tunnel-agent dependency https://nodesecurity.io/advisories/598

Thanks!

Mikaël Vallerie · Answer 2 · Thu Jun 14 2018 13:34:16 GMT+0800 (China Standard Time)

+1 for this. Thanks in advance.

John Wyatt · Answer 3 · Tue Jun 19 2018 17:07:16 GMT+0800 (China Standard Time)

+1 also for this. Commenting to raise awareness. Thanks in advance.

Deleted user · Answer 4 · Fri Jul 13 2018 17:06:27 GMT+0800 (China Standard Time)

It seems there's a whole chain of sub-dependencies blocking this issue. As far as I can tell, we should direct our attention here: nodejs/node-gyp#1492.

Michael Wayman · Answer 5 · Wed Jul 18 2018 17:42:39 GMT+0800 (China Standard Time)

OK I did an audit and the only vulnerabilities are from node-sass which node-sass-chokidar depends on, so until they can resolve on their end then there isn't much to do. but I assure you none of the vulnerabilities are high-priority