NPM Audit fixes

Question

After running npm audit I have (this is just one of) a moderate warning

Moderate      │ Prototype pollution
Package       │ hoek
Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of │ karma
Path          | karma > log4js > loggly > request > hawk > sntp > hoek

I can see that hoek is a dependency of karma (further down the chain). Looking at the Karma repo on GitHub I can see that this has been raised but no immediate fix has been prioritised.

Is this something that we just have to accept for now until they have updated their dependencies or can we tell our application to use a more recent version of hoek and apply to all packages?

Answer 1

You can npm install the fixed version of the dependency from a pull request or a commit. E.g.

npm install github:winstonjs/node-loggly#pull/79/head

Then delete the added line in package.json e.g. "loggly": "github:winstonjs/node-loggly#pull/79/head"

In package-lock.json search for loggly and where it shows "version": "<some git url>", delete the url and replace it with the appropriate version number e.g "1.1.1".

Answer 2

The problem is that loggly hasn't be updated for a long time and is hard-coded to request version that uses hoek version with specified vulnerability. There is open issue.

Considering a role of hoek package here, it's unlikely that it causes real security issue.

From a user's perspective, it's possible to fix security issue by using a branch where this dependency is fixed, e.g. this pull request:

"karma": "^2.0.2",
"loggly": "github:winstonjs/node-loggly#pull/79/head"

Since loggly branch version matches constraints in log4js, this replaces original loggly with fixed one (possibly requires to purge node_modules to take effect).

This causes

400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

error for npm audit, so it likely should be left as is for now.