Github potential security vulnerability error for hoek node module

2018-06-09 04:56:28

Today github is showing following error on my github repository:

We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.

On clicking on Review vulnerable dependency button following message was displayed:

hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'

Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.

I used npm update hoek && npm install hoek and the package was updated to 5.0.3.

The vulnerability alert disappeared from my github Repo after that.

I used: rm package-lock.json && npm update && npm install . For me this updated hoek to 4.2.1 , which also contains the fix (per this comment.)

Edit: In another app, I ran rm package-lock.json and either npm i hoek && npm up && npm i && npm un hoek or npm i hoek && npm un hoek && npm up && npm i (can't recall order), which is more aligned with this comment (from JamesSingleton).

( rm package-lock.json is only if it exists.)

Edit: In yet a 3rd app, I checked npm outdated and found I had to upgrade react-scripts-ts from 2.13.0 to 2.15.1 . For this, I updated the package.json manually, then just ran npm i . Once done, hoek updated to 4.2.1. (specifically targeting that one holdout/primary component).

Edit: My solution for a Zurb Foundation 6 Site:

I updated all my packages to their major versions using npm outdated . I then ran:

npm i hoek@latest --save && npm up hoek

npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save

There were two holdouts; browser-sync : 2.23.7 and node-sass : 4.9.0 , both at their latest versions. No matter: the GitHub warning resolved after commit.

Found a solution here.

Basically in git bash, ' cd ' to your project folder, type following codes:

npm i hoek  
npm uninstall hoek 
npm update 
npm install

then

git add .
git commit 'update-hoek'
git push origin master

Now check your GitHub project page again, the warning should disappear.

Regards,

链接地址: http://www.djcxy.com/p/27656.html

上一篇: 如何在Nodejs中进行依赖关系的递归安装？

下一篇: Hoek节点模块的Github潜在安全漏洞错误