Github potential security vulnerability error for hoek node module

  • A+

Today github is showing following error on my github repository:

We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.

On clicking on Review vulnerable dependency button following message was displayed:

hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'

Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.

I used: rm package-lock.json && npm update && npm install. For me this updated hoek to 4.2.1, which also contains the fix (per this comment.)

Edit: In another app, I ran rm package-lock.json and either npm i hoek && npm up && npm i && npm un hoek or npm i hoek && npm un hoek && npm up && npm i (can't recall order), which is more aligned with this comment (from JamesSingleton).

(rm package-lock.json is only if it exists.)

Edit: In yet a 3rd app, I checked npm outdated and found I had to upgrade react-scripts-ts from 2.13.0 to 2.15.1. For this, I updated the package.json manually, then just ran npm i. Once done, hoek updated to 4.2.1. (specifically targeting that one holdout/primary component).

Edit: My solution for a Zurb Foundation 6 Site:

I updated all my packages to their major versions using npm outdated. I then ran:

npm i hoek@latest --save && npm up hoek

npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save

There were two holdouts; browser-sync : 2.23.7 and node-sass : 4.9.0, both at their latest versions. No matter: the GitHub warning resolved after commit.


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: