Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade request@2.85.0 #189

Closed
wants to merge 1 commit into from
Closed

Upgrade request@2.85.0 #189

wants to merge 1 commit into from

Conversation

epheph
Copy link

@epheph epheph commented Apr 26, 2018

Fixes hoek vulnerability

@epheph epheph mentioned this pull request Apr 26, 2018
Closed
@coveralls
Copy link

Coverage Status

Coverage remained the same at 95.77% when pulling 488c37f on epheph:master into 83ff2cb on nickmerwin:master.

1 similar comment
@coveralls
Copy link

coveralls commented Apr 26, 2018
edited
Loading

Coverage Status

Coverage remained the same at 95.77% when pulling 488c37f on epheph:master into 83ff2cb on nickmerwin:master.

@davedoesdev
Copy link

davedoesdev commented Apr 26, 2018
edited
Loading

If I do npm install coveralls it brings in hoek 4.2.1 which is not vulnerable.
This PR isn't required to fix the hoek vulnerability.

https://nodesecurity.io/advisories/566
hapijs/hoek#230

@epheph
Copy link
Author

epheph commented Apr 26, 2018
edited
Loading

By itself, that's true. Other dependencies in your package.json can cause a vulnerable hoek to be used by coveralls. This package.json:

{
  "name": "some-package",
  "version": "4.11.0-6",
  "devDependencies": {
    "babel-cli": "6.26.0",
    "coveralls": "2.13.3"
  }
}

ends up with this, due to dedupe

└─┬ coveralls@2.13.3
  └─┬ request@2.79.0
    ├─┬ hawk@3.1.3
    │ ├─┬ boom@2.10.1
    │ │ └── hoek@2.16.3 deduped

@ghost
Copy link

ghost commented Apr 27, 2018

I'm here because I was about to open a PR of the same nature, too. One of my packages is flagged as being affected by CVE-2018-3728 and my trace got me here.

@davedoesdev
Copy link

@epheph that's true but if you use coveralls 3.0.0 then you get a fixed hoek:

{
  "name": "some-package",
  "version": "4.11.0-6",
  "devDependencies": {
    "babel-cli": "6.26.0",
    "coveralls": "3.0.0"
  }
}

produces:

└─┬ coveralls@3.0.0
  └─┬ request@2.85.0
    ├─┬ hawk@6.0.2
    │ ├─┬ boom@4.3.1
    │ │ └── hoek@4.2.1 deduped

@davedoesdev
Copy link

There would be a problem if you used a package which fixed request at a lower version than coveralls 3.0.0 does (coveralls uses ^2.79.0).

But shouldn't that be fixed in that package rather than coveralls?

@ghost
Copy link

ghost commented Apr 27, 2018

Hello @davedoesdev this is true; however, hoek@4.2.1 isn't "fixed":

screen shot 2018-04-27 at 2 22 03 pm

@davedoesdev
Copy link

davedoesdev commented Apr 27, 2018
edited
Loading

Yes 😃

@github are using old data: hapijs/hoek#230 (comment)

https://nodesecurity.io/advisories/566

@ghost
Copy link

ghost commented Apr 27, 2018

@davedoesdev Oh, that's interesting. Thank you for the links!

jgravois added a commit to jgravois/karma-coveralls that referenced this pull request Apr 27, 2018
@jgravois
bump dependency to address security vulnerability
22bdf86 
see:
nickmerwin/node-coveralls#189 (comment)
http://nodesecurity.io/advisories/566
hapijs/hoek#230
@jgravois jgravois mentioned this pull request Apr 27, 2018
Merged
@nickmerwin
Copy link
Owner

Thanks everyone for the review, closing for now.

@nickmerwin nickmerwin closed this May 1, 2018
@davedoesdev
Copy link

FYI github is now marking hoek 4.2.1 as fixed. Re-installing dependencies should get rid of the warning.

@nickmerwin
Copy link
Owner

@daleharvey thanks, dependencies are updated and warning is gone now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@epheph @coveralls @davedoesdev @nickmerwin