Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security vulnerability? due to old hawk@3.1.3 (and hoek@2.16.3) dependency #346

Closed
wvanderdeijl opened this issue Feb 15, 2018 · 10 comments
Closed

security vulnerability? due to old hawk@3.1.3 (and hoek@2.16.3) dependency #346

wvanderdeijl opened this issue Feb 15, 2018 · 10 comments

Comments

@wvanderdeijl
Copy link

in our project, snyk recently started complaining that we have a dependency with a known security vulnerability. It complains about hoek@2.16.3 which is required by hawk@3.1.3 which is required by the latest version of node-pre-gyp

the latest version of hoek (version 5.0.3) fixed the vulnerability. But node-pre-gyp has locked the version of hawk to 3.1.3 while the latest version of hawk is 7.0.7. Using such an old version of hawk also uses a very old version of hoek.

Would it be easy to upgrade to the latest version of hawk so we get the latest version of hoek without the vulnerability?

More info about the (low prio) vulnerability in hoek can be found at https://snyk.io/vuln/npm:hoek:20180212
@nathany
Copy link

nathany commented Feb 15, 2018
edited

More information on the security vulnerability in old versions of hoek:
https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439

For what it's worth, the patch was also backported to hoek 4.2.1.
https://github.com/hapijs/hoek/commits/v4.x.x

hoek2

@krotscheck
Copy link
Contributor

This is now also being reported by nsp, https://nodesecurity.io/advisories/566

@krotscheck krotscheck mentioned this issue Feb 15, 2018
Merged
@guyo13
Copy link

guyo13 commented Feb 15, 2018

Or upgrade to hawk@7.0.7 which have the patched version of hoek in the packge.json

@nathany nathany mentioned this issue Feb 15, 2018
Closed
@SebastianSchmidt SebastianSchmidt mentioned this issue Feb 15, 2018
Closed
4 tasks
@erik-beus erik-beus mentioned this issue Feb 18, 2018
Closed
@jlchereau jlchereau mentioned this issue Feb 19, 2018
Closed
@gms1 gms1 mentioned this issue Feb 20, 2018
Closed
@pumano
Copy link

pumano commented Feb 21, 2018

@springmeyer any news about dependency updates?

@evheniy evheniy mentioned this issue Feb 23, 2018
Closed
@evheniy
Copy link

evheniy commented Feb 23, 2018
edited

Hi
Webpack has dependency

webpack/webpack#6552

Could you please update hawk to latest version.

Thank you!

@ChALkeR
Copy link

ChALkeR commented Mar 3, 2018

That won't fix things, as there is +-- request@2.81.0+-- hawk@3.1.3 deduped dep, which also pulls hawk@3.1.3 which also pulls in old hoek.

Request has several PRs to fix that, but that didn't happen yet.

Perhaps migrate away from request?

@SebastianSchmidt
Copy link

SebastianSchmidt commented Mar 4, 2018
edited

@ChALkeR PR: Remove hawk, upgrade request

@ChALkeR
Copy link

ChALkeR commented Mar 4, 2018

@SebastianSchmidt request itself isn't updated yet, that won't help.

@ChALkeR
Copy link

ChALkeR commented Mar 4, 2018
edited

@SebastianSchmidt Ah, looks like I was indeed wrong, current request version depends on a patched version — request didn't update, but hoek backported the fix, I missed that.

     '5.0.0': '2017-09-26T04:22:40.507Z',
     '5.0.1': '2017-10-26T08:22:11.034Z',
     '5.0.2': '2017-11-03T09:12:15.703Z',
     '5.0.3': '2018-02-06T17:55:50.172Z',
     '4.2.1': '2018-02-15T16:47:47.274Z'

@remy remy mentioned this issue Mar 6, 2018
Closed
@ronkorving ronkorving mentioned this issue Mar 9, 2018
Merged
@springmeyer
Copy link
Contributor

Fixed by merging #347

@springmeyer springmeyer reopened this Mar 10, 2018
@SebastianSchmidt SebastianSchmidt mentioned this issue Mar 10, 2018
Closed
@rogierschouten rogierschouten mentioned this issue Mar 28, 2018
Closed
@juliedavila juliedavila mentioned this issue May 17, 2018
Closed
@EricHanLiu EricHanLiu mentioned this issue May 18, 2018
Closed
@stefan-guggisberg stefan-guggisberg mentioned this issue Sep 17, 2018
Closed
hyj1991 pushed a commit to X-Profiler/node-pre-gyp that referenced this issue Jun 16, 2023
@krotscheck
Remove dependency on hawk, upgrade request
7bac980 
This patch removes the explicit dependency on hawk, and upgrades request
to the newest version. It also removes node 0.10 from the testing grid,
as this version has been EOL'd by the node foundation, and doesn't support
es6 syntax used in the newer introduced dependencies.

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439
https://github.com/nodejs/Release

Closes mapbox#346
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@nathany @springmeyer @ChALkeR @krotscheck @evheniy @SebastianSchmidt @wvanderdeijl @pumano @guyo13