Github potential security vulnerability error for hoek node module
I used: rm package-lock.json
&& npm update && npm install
. For me this updated hoek
to 4.2.1
, which also contains the fix (per this comment.)
Edit: In another app, I ran rm package-lock.json
and either npm i hoek && npm up && npm i && npm un hoek
or npm i hoek && npm un hoek && npm up && npm i
(can't recall order), which is more aligned with this comment (from JamesSingleton).
(rm package-lock.json
is only if it exists.)
Edit: In yet a 3rd app, I checked npm outdated
and found I had to upgrade react-scripts-ts
from 2.13.0
to 2.15.1
. For this, I updated the package.json
manually, then just ran npm i
. Once done, hoek
updated to 4.2.1.
(specifically targeting that one holdout/primary component).
Edit: My solution for a Zurb Foundation 6 Site:
I updated all my packages to their major versions using npm outdated
. I then ran:
npm i hoek@latest --save && npm up hoek
npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save
There were two holdouts; browser-sync : 2.23.7
and node-sass : 4.9.0
, both at their latest versions. No matter: the GitHub warning resolved after commit.
npm update
should work only if the vulnerable package is declared as direct project's dependency. But usually (as in the case of hoek
) vulnerabilities lay in those packages which live down in you sub-dependencies tree.
Since in my case I decided to not update all the dependencies of my project (by deleting and rebuilding the entire package-lock.json
file), I went for the following (and, of course, more time consuming) approach:
- find all the occurrencies of the vulnerable package in my
package-lock.json
- follow up the dependency tree to find which top-level packages import them
- uninstall and re-install those top-level packages using the same minor version
Like:
npm r package-1 package-2 && npm i package-1@^1.2.3 package-2@^1.2.3
This approach will work only if the vulnerable package was fixed and released and the consuming packages import the vulnerable one with a loose version number open to patch or minor versions.
I used npm update hoek && npm install hoek and the package was updated to 5.0.3.
The vulnerability alert disappeared from my github Repo after that.