Today github is showing following error on my github repository:
We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.
On clicking on Review vulnerable dependency button following message was displayed:
hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'
Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.
rm package-lock.json &&
npm update && npm install. For me this updated
4.2.1, which also contains the fix (per this comment.)
Edit: In another app, I ran
rm package-lock.json and either
npm i hoek && npm up && npm i && npm un hoek or
npm i hoek && npm un hoek && npm up && npm i (can't recall order), which is more aligned with this comment (from JamesSingleton).
rm package-lock.json is only if it exists.)
Edit: In yet a 3rd app, I checked
npm outdated and found I had to upgrade
2.15.1. For this, I updated the
package.json manually, then just ran
npm i. Once done,
hoek updated to
4.2.1. (specifically targeting that one holdout/primary component).
Edit: My solution for a Zurb Foundation 6 Site:
I updated all my packages to their major versions using
npm outdated. I then ran:
npm i hoek@latest --save && npm up hoek
npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save
There were two holdouts;
browser-sync : 2.23.7 and
node-sass : 4.9.0, both at their latest versions. No matter: the GitHub warning resolved after commit.