Github potential security vulnerability error for hoek node module
npm update should work only if the vulnerable package is declared as direct project's dependency. But usually (as in the case of hoek) vulnerabilities lay in those packages which live down in you sub-dependencies tree.
Since in my case I decided to not update all the dependencies of my project (by deleting and rebuilding the entire package-lock.json file), I went for the following (and, of course, more time consuming) approach:
- find all the occurrencies of the vulnerable package in my
package-lock.json - follow up the dependency tree to find which top-level packages import them
- uninstall and re-install those top-level packages using the same minor version
Like:
npm r package-1 package-2 && npm i package-1@^1.2.3 package-2@^1.2.3
This approach will work only if the vulnerable package was fixed and released and the consuming packages import the vulnerable one with a loose version number open to patch or minor versions.
I used: rm package-lock.json && npm update && npm install. For me this updated hoek to 4.2.1, which also contains the fix (per this comment.)
Edit: In another app, I ran rm package-lock.json and either npm i hoek && npm up && npm i && npm un hoek or npm i hoek && npm un hoek && npm up && npm i (can't recall order), which is more aligned with this comment (from JamesSingleton).
(rm package-lock.json is only if it exists.)
Edit: In yet a 3rd app, I checked npm outdated and found I had to upgrade react-scripts-ts from 2.13.0 to 2.15.1. For this, I updated the package.json manually, then just ran npm i. Once done, hoek updated to 4.2.1. (specifically targeting that one holdout/primary component).
Edit: My solution for a Zurb Foundation 6 Site:
I updated all my packages to their major versions using npm outdated. I then ran:
npm i hoek@latest --save && npm up hoek
npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save
There were two holdouts; browser-sync : 2.23.7 and node-sass : 4.9.0, both at their latest versions. No matter: the GitHub warning resolved after commit.