chore: Update dependencies using vulnerable hoek

[welwood08]

There is a vulnerability in old versions of hoek and updating these 2 dependencies should lead to a version of hoek that is no longer affected. More information:

• https://nodesecurity.io/advisories/566
• https://hackerone.com/reports/310439

I was informed of this issue today by GitHub (and previously on several occasions by Snyk) since I depend on this package, so I expect I'm not alone in noticing this.

The test suite passes locally using bleeding-edge node/npm. I've checked usages of jsonwebtoken in the code and didn't spot anything affected by the major version bump, its dependency tree no longer features hoek at all and should be significantly lighter.

The Travis build on node 0.12 might fail due to lack of ES6 features used by the newer version of hawk in request, but this should be expected since request dropped support for node 0.12 with v2.77 (see request/request#2442)! If supporting that ancient version that reached EOL at the end of 2016 is still desired then migrating away from request to something like needle might be necessary.

Edit: seems the Travis node 4 build also failed, this time because the latest version of npm itself uses an ES6 feature not supported on node 4...

Edit 2: having checked the Snyk report more thoroughly, there are additional vulnerable dependencies that would be resolved or partially resolved by this PR:

• tunnel-agent < 0.6.0
• ms < 2.0.0 (still present via devDependencies grunt-contrib-watch@1.0.0 and mocha@3.1.2)

[kumar303]

@rpl is this something you could look at? I’m not sure if sign-addon is actually affected or not. We don’t use a lot of hoek features.

…

On Thu, Apr 26, 2018 at 1:45 PM Will Elwood ***@***.***> wrote: There is a vulnerability in old versions of hoek and updating these 2 dependencies should lead to a version of hoek that is no longer affected. More information: - https://nodesecurity.io/advisories/566 - https://hackerone.com/reports/310439 I was informed of this issue today by GitHub (and previously on several occasions by Snyk) since I depend on this package, so I expect I'm not alone in noticing this. The test suite passes locally using bleeding-edge node/npm. I've checked usages of jsonwebtoken in the code and didn't spot anything affected by the major version bump <https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v7-to-v8>, its dependency tree no longer features hoek at all and should be significantly lighter. The Travis build on node 0.12 might fail due to lack of ES6 features used by the newer version of hawk in request, but this should be expected since request dropped support for node 0.12 with v2.77 (see request/request#2442 <request/request#2442>)! If supporting that ancient version that reached EOL at the end of 2016 is still desired then migrating away from request to something like needle <https://www.npmjs.com/package/needle> might be necessary. ------------------------------ You can view, comment on, or merge this pull request online at: #254 Commit Summary - chore: Update dependencies using vulnerable hoek File Changes - *M* package.json <https://github.com/mozilla/sign-addon/pull/254/files#diff-0> (4) Patch Links: - https://github.com/mozilla/sign-addon/pull/254.patch - https://github.com/mozilla/sign-addon/pull/254.diff — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#254>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADYZniqXp6FeqBvADTuisT0gF-90D-_ks5tshW6gaJpZM4TmyZ5> .

[pdehaan]

+1. Also, looks like updating request may hopefully bypass https://nodesecurity.io/advisories/664 (since newer versions of request may not use the potentially vulnerable stringstream module):

┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Out-of-bounds Read                                                 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ stringstream                                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 5.2 (Medium)                                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 0.0.6                                                              │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ All                                                                │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ None                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ jpm@1.3.1 > sign-addon@0.2.1 > request@2.79.0 > stringstream@0.0.6 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/664                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

[rpl]

@welwood08 @kumar303 @pdehaan I'm closing this PR in favor of #257 which updates both jsonwebtoken and request to their last versions, and applies the changes needed on the travis config.