Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Security Vulnerability because of package-lock.json publishing #2777

Closed
natelaws opened this issue Jun 18, 2018 · 1 comment
Closed

Critical Security Vulnerability because of package-lock.json publishing #2777

natelaws opened this issue Jun 18, 2018 · 1 comment

Comments

@natelaws
Copy link

The problem

The package-lock.json is being published and includes a reference to an old version of hoek which is considered to be a critical security vulnerability and is flagged as such in github.

Generally this is fixed by using newer version of the request library which no longer has this dependency. But there might be other things webdriverio uses that cause hoek to be included.

My recommendations are to either:

  1. Stop publishing package-lock.json
  2. Go through the dependencies and upgrade anything that is pulling in old hoek.

References:

I could do either just wondering what the project prefers.
@christian-bromann
Copy link
Member

@natelaws thanks for letting me know. I thought package-lock would be ignored automatically but this was a false assumption since this project has a custom npmignore file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@natelaws @christian-bromann