发表新帖
发表新帖

How to get rid of the ‘hoek’ vulnerabilities

前端 未结
关注
3 1860
梦如初夏
梦如初夏 2021-02-12 06:04

I recently pushed an Angular CLI 5 application to GitHub and it indicated the following:

We found a potential security vulnerability in one of your dependencies.
相关标签:
3条回答
  • 灰色年华
    2021-02-12 06:51

    I was patient and they fixed the problem:

    npm update karma@latest

    should work.

    0 讨论(0)
  • 别跟我提以往
    2021-02-12 06:52

    You should runrm package-lock.json && npm update && npm install, if this still doesn't fix your issue, you can then continue by running npm ls hoek, which should gave you:

    ├─┬ fuse-box@3.3.0
│ └─┬ request@2.81.0
│   └─┬ hawk@3.1.3
│     ├─┬ boom@2.10.1
│     │ └── hoek@2.16.3
│     ├── hoek@2.16.3
│     └─┬ sntp@1.0.9
│       └── hoek@2.16.3
└── hoek@5.0.3

    Check the version of hawk against the one on npm hawk, if it doesn't tally, run npm i hawk --save or npm i hoek@latest --save, then you should also run: npm i karma@latest --save, then npm audit After which I again ran my normal git commands:

    git add .
git commit -m 'whatever_message'
git push

    Then you can go back to Github, the security vulnerability should be fixed.

    0 讨论(0)
  • 半阙折子戏
    2021-02-12 06:59

    This answer addresses similar hoek problem, and this answer explains non-vulnerability audit reports in detail.

    npm audit reports possible problems. It's unnecessary that they are real problems that should be solved.

    A nested dependency like karma > log4js > loggly > request > hawk > boom > hoek may require to fork numerous packages in dependency chain in case it has to be fixed.

    Prototype pollution diagnosis indicates code smell. The reason why prototype pollution smells is that it can cause security problems. This is the reason why it's labeled as Moderate. It's unlikely that it causes any security risks in hoek package due to how it works, regardless of how the package is used (that's important as well).

    Additionally, karma > log4js > loggly > request > hawk > boom > hoek dependency chain means that the problem occurs in development dependency. Most security problems are primarily applicable to dependencies that are used in production. This problem is specific to tests and Karma. It's virtually impossible it is a threat.

    TL;DR: this is not a vulnerability. It has to be ignored. Any npm audit report should pass sanity check before any efforts to fix it will be made.

    0 讨论(0)
 看不清?
提交回复
热议问题