Remove dependency on hawk, upgrade request #347

krotscheck · 2018-02-15T20:58:45Z

This patch removes the explicit dependency on hawk, and upgrades request
to the newest version. It also removes node 0.10 from the testing grid,
as this version has been EOL'd by the node foundation, and doesn't support
es6 syntax used in the newer introduced dependencies.

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439
https://github.com/nodejs/Release

Closes #346

krotscheck · 2018-02-15T20:59:28Z

The only mention of hawk appears to be the package.json file:
https://github.com/mapbox/node-pre-gyp/search?utf8=%E2%9C%93&q=hawk&type=

SebastianSchmidt · 2018-02-15T22:30:18Z

The package request@2.81.0 depends on hawk@3.1.3.
This pull request does not completely remove the dependency on hawk and does not solve #346:

node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › hoek@2.16.3
node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › boom@2.10.1 › hoek@2.16.3
node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › sntp@1.0.9 › hoek@2.16.3
node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › cryptiles@2.0.5 › boom@2.10.1 › hoek@2.16.3

Updating to request@2.83.0 fixes the vulnerability.
request@2.83.0 uses hawk@6.0.2 which depends on hoek@4.2.1 (hapijs/hoek#230):

node-pre-gyp@0.6.39 › request@2.83.0 › hawk@6.0.2 › hoek@4.2.1
node-pre-gyp@0.6.39 › request@2.83.0 › hawk@6.0.2 › boom@4.3.1 › hoek@4.2.1
node-pre-gyp@0.6.39 › request@2.83.0 › hawk@6.0.2 › sntp@2.1.0 › hoek@4.2.1
node-pre-gyp@0.6.39 › request@2.83.0 › hawk@6.0.2 › cryptiles@3.1.2 › boom@5.2.0 › hoek@4.2.1

krotscheck · 2018-02-15T22:37:52Z

@SebastianSchmidt Done. Jetzt auf Travis warten ⏳

SebastianSchmidt · 2018-02-15T22:53:57Z

request@2.83.0 and Node 0.10: #320, #342

This patch removes the explicit dependency on hawk, and upgrades request to the newest version. It also removes node 0.10 from the testing grid, as this version has been EOL'd by the node foundation, and doesn't support es6 syntax used in the newer introduced dependencies. https://nodesecurity.io/advisories/566 https://hackerone.com/reports/310439 https://github.com/nodejs/Release Closes #346

krotscheck · 2018-02-15T23:02:41Z

Yeah, saw that. Given that node 0.10 is EOL, I removed it from the testing grid.

krotscheck · 2018-02-16T04:50:40Z

@springmeyer Any chance you can take a look at this?

JulianLaval · 2018-02-20T14:29:39Z

Would be great to have this PR merged in -- any updates? 🙂

kontrollanten · 2018-02-22T16:56:51Z

Any updates on this?

Waiting for mapbox/node-pre-gyp#347

Pablodotnet · 2018-03-07T19:48:00Z

Any updates on this? We need the merge ASAP!

nhodges · 2018-03-07T22:26:15Z

Whoops, just saw this PR. I also made a PR to address this, #349. Many packages are waiting on this so it can go upstream.

ronkorving · 2018-03-09T09:00:01Z

Yeah, waiting too. Does node-pre-gyp only have a single maintainer?

fenichelar · 2018-03-10T06:11:34Z

Merging this PR and releasing a new version would be great! :)

springmeyer · 2018-03-10T06:53:52Z

Thanks for this PR. Sorry for the wait in review/merging. Will merge now and release as v0.7.0.

springmeyer · 2018-03-10T06:58:33Z

node-pre-gyp@0.7.0 is now published: https://www.npmjs.com/package/node-pre-gyp

* This commit still doesn't pass volnurability check. But it will be solved soon enough * refs: mapbox/node-pre-gyp#347

Remove dependency on hawk, upgrade request

krotscheck changed the title ~~Remove dependency on hawk~~ Remove dependency on hawk, upgrade request Feb 15, 2018

kontrollanten added a commit to kontrollanten/algolia-places-react that referenced this pull request Feb 24, 2018

remove babel-cli

da84505

Waiting for mapbox/node-pre-gyp#347

kontrollanten added a commit to kontrollanten/algolia-places-react that referenced this pull request Feb 24, 2018

remove babel-cli

8ea47d7

Waiting for mapbox/node-pre-gyp#347

gilmillasseau mentioned this pull request Feb 28, 2018

#54 Update webpack to version 4 stoikerty/dev-toolkit#59

Merged

matteofigus approved these changes Mar 3, 2018

View reviewed changes

SebastianSchmidt mentioned this pull request Mar 4, 2018

security vulnerability? due to old hawk@3.1.3 (and hoek@2.16.3) dependency #346

Closed

matteofigus mentioned this pull request Mar 7, 2018

Security vulnerabilities opencomponents/oc#836

Closed

dragonfire535 mentioned this pull request Mar 8, 2018

Attempting to install from non-source causes a build error due to 404. Automattic/node-canvas#1108

Closed

nuri-hodges-ck mentioned this pull request Mar 9, 2018

fix: update request and hawk dependencies #349

Closed

springmeyer merged commit af507d1 into mapbox:master Mar 10, 2018

This was referenced Mar 10, 2018

update request from 2.81.0 to 2.83.0 #342

Closed

Don't fix versions in dependencies #324

Closed

Update dependency on request to address ReDoS #321

Closed

Update request to 2.83.0 #320

Closed

fenichelar mentioned this pull request Mar 10, 2018

Update node-pre-gyp to fix prototype pollution attack fsevents/fsevents#201

Closed

jinwoo mentioned this pull request Mar 10, 2018

License problem with node-pre-gyp grpc/grpc-node#145

Closed

andyhayes mentioned this pull request Mar 12, 2018

Security vulnerability in node-pre-gyp dependency fsevents/fsevents#200

Closed

joemphilips added a commit to joemphilips/walletts-old that referenced this pull request Mar 17, 2018

remove test files from main(and module)build

58b775c

* This commit still doesn't pass volnurability check. But it will be solved soon enough * refs: mapbox/node-pre-gyp#347

krotscheck deleted the hawk branch April 17, 2018 00:11

fenichelar mentioned this pull request Apr 20, 2018

Update fsevents to fix prototype pollution attack paulmillr/chokidar#704

Closed

drewjenkins mentioned this pull request May 23, 2018

Prototype Pollution Vulnerability node-gfx/node-canvas-prebuilt#43

Closed

This was referenced Aug 5, 2021

[Snyk] Security upgrade node-pre-gyp from 0.5.31 to 0.8.0 ilatypov/node-pre-gyp#5

Open

[Snyk] Security upgrade node-pre-gyp from 0.5.31 to 0.8.0 ilatypov/node-pre-gyp#7

Open

snyk-bot mentioned this pull request Sep 1, 2021

[Snyk] Security upgrade node-pre-gyp from 0.5.31 to 0.8.0 ilatypov/node-pre-gyp#10

Open

hyj1991 pushed a commit to X-Profiler/node-pre-gyp that referenced this pull request Jun 16, 2023

Merge pull request mapbox#347 from krotscheck/hawk

5b60326

Remove dependency on hawk, upgrade request

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove dependency on hawk, upgrade request #347

Remove dependency on hawk, upgrade request #347

krotscheck commented Feb 15, 2018 •

edited

krotscheck commented Feb 15, 2018

SebastianSchmidt commented Feb 15, 2018 •

edited

krotscheck commented Feb 15, 2018

SebastianSchmidt commented Feb 15, 2018

krotscheck commented Feb 15, 2018

krotscheck commented Feb 16, 2018

JulianLaval commented Feb 20, 2018

kontrollanten commented Feb 22, 2018

Pablodotnet commented Mar 7, 2018

nhodges commented Mar 7, 2018

ronkorving commented Mar 9, 2018

fenichelar commented Mar 10, 2018

springmeyer commented Mar 10, 2018

springmeyer commented Mar 10, 2018

Remove dependency on hawk, upgrade request #347

Remove dependency on hawk, upgrade request #347

Conversation

krotscheck commented Feb 15, 2018 • edited

krotscheck commented Feb 15, 2018

SebastianSchmidt commented Feb 15, 2018 • edited

krotscheck commented Feb 15, 2018

SebastianSchmidt commented Feb 15, 2018

krotscheck commented Feb 15, 2018

krotscheck commented Feb 16, 2018

JulianLaval commented Feb 20, 2018

kontrollanten commented Feb 22, 2018

Pablodotnet commented Mar 7, 2018

nhodges commented Mar 7, 2018

ronkorving commented Mar 9, 2018

fenichelar commented Mar 10, 2018

springmeyer commented Mar 10, 2018

springmeyer commented Mar 10, 2018

krotscheck commented Feb 15, 2018 •

edited

SebastianSchmidt commented Feb 15, 2018 •

edited