Update udaru-hapi-plugin dependencies to the latest @hapi scope to fix a vulnerability issue #581

allbto · 2019-10-09T10:32:52Z

When running npm audit on my node project I received:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ subtext                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @nearform/udaru-hapi-plugin                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @nearform/udaru-hapi-plugin > hapi > subtext                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1168                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 3627 scanned packages
  1 vulnerability requires manual review. See the full report for details.

There are no way to fix this issue on my own, because hapi and subtext dependencies are not maintained (they moved to @hapi/hapi and @hapi/subtext), therefore the npm audit fix command couldn't solve the issue. The only way to fix it is to update the @nearform/udaru-hapi-plugin dependencies.

In this PR I've updated the following dependencies:

"boom": "^7.2.2" -> "@hapi/boom": "^8.0.1"
"hoek": "^6.1.3" -> "@hapi/hoek": "^8.3.0"

And I noticed that the hapi package was only used in tests and not in the main code, so I moved "hapi": "^18.1.0" to devDependencies as "@hapi/hapi": "^18.4.0".

I've also updated the devDependencies:

"code": "^5.2.4" -> "@hapi/code": "^6.0.0"
"lab": "^18.0.2" -> "@hapi/lab": "^20.4.0"

Let me know if anything else is needed in order to merge this PR.

…ulnerability issue

coveralls · 2019-10-09T10:36:54Z

Coverage remained the same at 94.086% when pulling a225baf on allbto:fix/hapi-plugin-libs-scope into 09cf319 on nearform:master.

mcollina

LGTM

update: hapi-plugin dependencies to the latest @Hapi scope to fix a v…

a225baf

…ulnerability issue

mcollina approved these changes Oct 11, 2019

View reviewed changes

cianfoley-nearform merged commit 9f52e2e into nearform:master Oct 11, 2019

cianfoley-nearform mentioned this pull request Oct 11, 2019

Preparation for release v5.3.2 #582

Merged

allbto deleted the fix/hapi-plugin-libs-scope branch October 14, 2019 09:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update udaru-hapi-plugin dependencies to the latest @hapi scope to fix a vulnerability issue #581

Update udaru-hapi-plugin dependencies to the latest @hapi scope to fix a vulnerability issue #581

allbto commented Oct 9, 2019

coveralls commented Oct 9, 2019

mcollina left a comment

Update udaru-hapi-plugin dependencies to the latest @hapi scope to fix a vulnerability issue #581

Update udaru-hapi-plugin dependencies to the latest @hapi scope to fix a vulnerability issue #581

Conversation

allbto commented Oct 9, 2019

coveralls commented Oct 9, 2019

mcollina left a comment

Choose a reason for hiding this comment