# Vulnerability in hoek package #2926

Open
opened this Issue Apr 26, 2018 · 28 comments

Projects
None yet

### warpdesign commented Apr 26, 2018

 There is a vulnerability in the hoek package which is required by hawk that request depends on. Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem.

Open

### crccheck commented Apr 27, 2018 • edited

 I tried just bumping to hawk v7.0.7 earlier today but the test broke. I had to jump off to do something else but I only got as far as this faster way to run the test: npx taper tests/test-hawk.js 

### dan-nl commented Apr 27, 2018 • edited

 as far as i understand it, the issue is with a cve, https://nvd.nist.gov/vuln/detail/CVE-2018-3728, regarding hoek < v5.0.3; request v2.85.1 requires hawk ~6.0.2, which requires hoek 4.x.x. request requires hawk ~6.0.2 to maintain compatibility with node 4. the cve states that “hoek node module before 5.0.3 suffers from …” and references hapijs/hoek@32ed5c9 as a fix in hoek v5.0.3 however, hoek v4.2.1 also has that fix: hapijs/hoek@5aed1a8 https://github.com/hapijs/hoek/blob/v4.2.1/lib/index.js#L116 thus, it appears that the cve is incorrectly considering hoek v4.2.1 as vulnerable and may be why so many github repos are now reporting a vulnerability. i sent an email to nvd.nist.gov about the issue.

Closed

Closed

Closed

### Bjornskjald commented Apr 27, 2018

 See here: #2891 (comment)

### PhilippeVay commented Apr 27, 2018

 To confirm the findings of dan-nl, both links from securityfocus and hackerone in the CVE state that it has been fixed Not Vulnerable: | Hoek Hoek 4.2.1 | Hoek Hoek 5.0.3 vdeturckheim posted a comment. Feb 15th (2 months ago) Fix has been backported to 4.x track of the module and published as 4.2.1. (see hapijs/hoek#231 ) and it's confirmed by @nlf in hapijs/hoek#230 (comment) It has been fixed. To further discuss, (…)

Open

Open

Closed

### jfoclpf commented Apr 27, 2018 • edited

 @warpdesign you said Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem But how do I do that if I don't have hawk directly as a dependency? autocosts@5.4.4 /home/jfolpf/autocosts └─┬ request@2.85.0 └─┬ hawk@6.0.2 ├─┬ boom@4.3.1 │ └── hoek@4.2.1 deduped ├─┬ cryptiles@3.1.2 │ └─┬ boom@5.2.0 │ └── hoek@4.2.1 deduped ├── hoek@4.2.1 └─┬ sntp@2.1.0 └── hoek@4.2.1 deduped  which npm command? npm update request didn't do the job. Nor npm update hoek thanks

### jbreckmckye commented Apr 27, 2018

 You can't. You have to wait until Request publishes a new version that uses Hawk 7. That's the problem.

### johnbeech commented Apr 27, 2018

 Can confirm, I've had 6 repos flagged by github for having the hoek vulnerability because of the request library.

### warpdesign commented Apr 27, 2018

 @jfoclpf I guess it should be possible to temporary fix the problem by publishing forks with an updated version. But you don't want to go this road. Better wait for an official resolution (which shouldn't be long to come this the vce state just needs to be updated for hoek v4.2.1).

### jfoclpf commented Apr 27, 2018 • edited

 According to what I have been told from other packages, it's a false positive from github. There is no vulnerability in that version of hoek. Nonetheless it's annoying and thus let's wait for an official update of request.

Closed

Closed

### dscalzi commented Apr 27, 2018

 The Node.js 4.x release line is going end of life April 30th, compatibility with it should not be a concern after then.
Contributor

### nlf commented Apr 27, 2018

 yes, hi 👋 hoek maintainer here. version 4.2.1 has been patched. github's alerts are currently wrong. i've submitted a request to correct the version range in the CVE and also harassed some kind folks at github to take care of things on their end. hopefully they'll stop reporting that version as vulnerable soon.

Merged

Closed

Merged

Closed

### yumetodo commented Apr 28, 2018

 #2926 (comment) version 4.2.1 has been patched hapijs/hoek#247 (comment) I submitted a request to update the CVE, hopefully that’ll happen soon and GitHub can get their db updated. Until that happens this is all out of my hands. I’m leaving this open in the hopes other people will find it. !?

### dan-nl commented Apr 29, 2018 • edited

 hawk > v7.0.0 drops support for node 4 and 6 https://github.com/hueniverse/hawk/blob/v7.0.1/.travis.yml hawk >= v7.0.0 includes hoek 5.x.x https://github.com/hueniverse/hawk/blob/master/package.json#L19 hoek v5.x.x drops support for node 4 and 6 https://github.com/hapijs/hoek/blob/v5.0.0/.travis.yml

Closed

Closed

### diamont1001 commented May 2, 2018

 How is this issue going now plz?

### diamont1001 commented May 2, 2018

 @Bjornskjald are u sure? request@2.85.0/1 -> hawk@6.0.2 -> hoek@4.x.x

### Bjornskjald commented May 2, 2018

 @diamont1001 hoek 4.2.1 has the bugfix backported

### Bjornskjald commented May 2, 2018 • edited

 @diamont1001 because if you weren't lazy enough to read the whole discussion, you would see it's a bug with GitHub and hoek maintainer already contacted them...

### JessicaSachs commented May 3, 2018

 @nlf Thanks for updating this thread earlier! Any response from Github yet? I'm considering pinging them as well...

Closed

Closed

### debragail commented May 4, 2018

 status update?

### cmfcmf commented May 4, 2018

 status update? @phillmv from @github staff has posted an explanation at hapijs/hoek#247 (comment): [...] We fixed the versions we alert on back on Monday, and I personally deleted all the bad alerts earlier today. [...]

Closed

Merged

Merged

Closed

Open

Closed

Merged

### NadGu commented May 24, 2018

 Hi, I have read all the discussion but I am still having the issue. I have run npm audit and reported me about 11 vulnerability to hoek package. I have update it to 7.0.7 but nothing changed. I have also updated the hawk package as suggested above but still nothing changed. Can you help me please?

### NadGu commented May 24, 2018

 @diamont1001 done right now. The version of hoek is 4.2.1. What can I do to update it?

### diamont1001 commented May 24, 2018

 hoek@4.2.1 is ok. I think that u just have to wait for github to refresh the data, at least I did it at the time, and it worked.

### NadGu commented May 24, 2018

 @diamont1001 So let's wait! At least I did all that I could. Thank you!

### phillmv commented May 24, 2018

 @NadGu Hi! Are you saying you have a repository on GitHub where we're still flagging a version of 4.2.1 as being vulnerable? That shouldn't be happening! Please email support@github.com with the repository link and mention @phillmv and we'll take it from there :).

Closed

Closed