Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update hawk version #2875

Closed
wants to merge 1 commit into from
Closed

Update hawk version #2875

wants to merge 1 commit into from

Conversation

santiagogil
Copy link

PR Checklist:

  • I have run npm test locally and all tests are passing.
  • I have added/updated tests for any new behavior.
  • If this is a significant change, an issue has already been created where the problem / solution was discussed: [N/A, or add link to issue here]

PR Description

Update hawk version in order to avoid a known vulnerability in hoek.
request@2.83.0 > hawk@6.0.2 > hoek@4.2.0

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439

Closes #2874

@santiagogil
Update hawk version
9b7ede8 
In order to avoid a known vulnerability in hoek.
request@2.83.0 > hawk@6.0.2 > hoek@4.2.0

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439

Closes request#2874
@hanjukim
Copy link

Please merge for stopping security alerts!

@benwiggins
Copy link

Re-install your packages and/or check your lockfile.
hawk@6.0.2 should be pulling in hoek@4.2.1 which is not vulnerable.

@compulim
Copy link

hoek@<5.0.3 is vulnerable, published at CVE-2018-3728.

Starting from hawk@7.0.0, they start using hoek@5.x.x.

@etpinard etpinard mentioned this pull request Apr 27, 2018
Closed
fahrradflucht
fahrradflucht reviewed Apr 27, 2018
View reviewed changes
package.json
@@ -35,7 +35,7 @@
"forever-agent": "~0.6.1",
"form-data": "~2.3.1",
"har-validator": "~5.0.3",
"hawk": "~6.0.2",
"hawk": "~7.0.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you check that this is sufficient and doesn't break anything? Hawk did a major version upgrade for a reason. The api now isn't callback based anymore [0].

As far as I can see request uses this api [1].

[0] mozilla/hawk@f72cdea
[1]

request/tests/test-hawk.js

Line 20 in 5ba8eb4

hawk.server.authenticate(req, getCred, {}, function (err, credentials, attributes) {

@erkattak erkattak mentioned this pull request May 3, 2018
Closed
@simov
Copy link
Member

simov commented May 19, 2018

See #2943

@simov simov closed this May 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fahrradflucht fahrradflucht fahrradflucht left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@santiagogil @hanjukim @benwiggins @compulim @simov @fahrradflucht