This repository has been archived by the owner on Jan 9, 2024. It is now read-only.
chore: Update dependencies using vulnerable hoek #254
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There is a vulnerability in old versions of
hoek
and updating these 2 dependencies should lead to a version ofhoek
that is no longer affected. More information:I was informed of this issue today by GitHub (and previously on several occasions by Snyk) since I depend on this package, so I expect I'm not alone in noticing this.
The test suite passes locally using bleeding-edge node/npm. I've checked usages of
jsonwebtoken
in the code and didn't spot anything affected by the major version bump, its dependency tree no longer featureshoek
at all and should be significantly lighter.The Travis build on node 0.12 might fail due to lack of ES6 features used by the newer version of
hawk
inrequest
, but this should be expected sincerequest
dropped support for node 0.12 with v2.77 (see request/request#2442)! If supporting that ancient version that reached EOL at the end of 2016 is still desired then migrating away fromrequest
to something likeneedle
might be necessary.Edit: seems the Travis node 4 build also failed, this time because the latest version of
npm
itself uses an ES6 feature not supported on node 4...Edit 2: having checked the Snyk report more thoroughly, there are additional vulnerable dependencies that would be resolved or partially resolved by this PR:
tunnel-agent
< 0.6.0ms
< 2.0.0 (still present via devDependenciesgrunt-contrib-watch@1.0.0
andmocha@3.1.2
)