Security alert (hoek package)

[philipmjohnson]

After running npm install semantic-ui --save and committing my repo to github, I get the following security alert:

This is related to the hoek package.

Because the install process does not result in a package.json file, but only a package-lock.json, I am not sure how to fix this locally.

[blaytenshi]

Are you using create-react-app? I've run into a bunch of security issues related to libraries being used create-react-app recently.

The best way to resolve them, in my experience, is to run npm audit in console/terminal which will tell you where the vulnerabilities are and if you scroll through the entire output, it will tell you the command to run to update the packages so the vulnerability is patched.

[philipmjohnson]

@blaytenshi Thanks, this is helpful. But hopefully the semantic ui maintainers will want to remove the security issue from their code as well.

[designosis]

@philipmjohnson You're not wrong, but as @philrykoff points out in #4987 (comment) ...

"While upgrading [a dependency] certainly makes sense if a newer version is available, as long as [they're not used in your] production environment you are not affected."

My npm audit has 18 vulnerabilities, all dependencies of Semantic-UI's build process. As none are public facing, there's no need for concern. Still, it frustrates me how infrequently dependencies are updated ... there's some remarkably obsolete stuff in Semantic-UI's package.json.

[blaytenshi]

@philipmjohnson If you've updated to the latest npm (i believe 6 and above) you can run the command npm audit fix and it should fix most of it for you.

[philipmjohnson]

@blaytenshi Thanks, but npm audit fix requires package.json, which is not provided when I download the semantic-ui distribution according to the directions. To fix things, I had to:

• manually download https://github.com/Semantic-Org/Semantic-UI/blob/master/package.json
• edit the package.json file to delete the "install" script (which overrides the default npm install).
• run npm install
• run npm audit fix, which resulted in:

npm audit fix
npm WARN gulp-debug@4.0.0 requires a peer of gulp@>=4 but none is installed. You must install peer dependencies yourself.
npm WARN The package merge-stream is included as both a dev and production dependency.

+ gulp-copy@1.1.0
updated 1 package in 3.976s
fixed 1 of 14 vulnerabilities in 4208 scanned packages
  4 vulnerabilities required manual review and could not be updated

1 out of 14 doesn't seem too good, so let's try npm audit fix --force:

npm audit fix --force
npm WARN using --force I sure hope you know what you are doing.
npm WARN deprecated graceful-fs@3.0.11: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN The package merge-stream is included as both a dev and production dependency.

+ gulp-less@4.0.0
+ gulp@4.0.0
added 131 packages from 137 contributors, removed 12 packages, updated 30 packages and moved 5 packages in 17.12s
fixed 9 of 14 vulnerabilities in 4151 scanned packages
  5 vulnerabilities required manual review and could not be updated
  2 package updates for 9 vulns involved breaking changes
  (installed due to `--force` option)

Committing the resulting package-lock.json satisfied GitHub, I am no longer getting security vulnerability alerts.

This seems like a lot of work for each person wanting to create a custom theme in semantic ui. Better that the system developers just fix their package.json?