How to get rid of the ‘hoek’ vulnerabilities

Question

I recently pushed an Angular CLI 5 application to GitHub and it indicated the following:

We found a potential security vulnerability in one of your dependencies.
A dependency defined in net-incident/package-lock.json has known security vulnerabilities and should be updated.
Dependencies defined in net-incident/package-lock.json 816
hapijs / hoek Known security vulnerability in 2.16.3

I have gone through the output from ‘npm audit’ and executed the various updates, including the following (which was not suggested):

npm install --save-dev request@2.86.0

The ‘request’ package contains ‘hawk’ which contains ‘hoek’. When I look at the ‘request’ package in node_modules the version has changed. But the following two updates from ‘npm audit’ do not seem to do anything:

npm update fsevents --depth 4 npm update stringstream --depth 5

And I am left with the following:

[!] 33 vulnerabilities found [12201 packages audited]
    Severity: 5 Low | 24 Moderate | 4 High
    Run `npm audit` for more detail

And many of the vulnerabilities are like the following:

Moderate        Prototype pollution
Package         hoek
Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of   karma
Path            karma > log4js > loggly > request > hawk > boom > hoek
More info       https://nodesecurity.io/advisories/566

In the end, the application would not compile, so I replaced the the package and lock files, and now I am back to the beginning. I really want to fix the security issues. How do I get rid of the pesky ‘hoek’ vulnerabilities?

This has gotten me half of the way there: [Running suggested command doesnt fix npm vulnerability](https://stackoverflow.com/questions/50315186/running-suggested-command-doesnt-fix-npm-vulnerability), but I am still having the Hoek 7 vulnerabilities issue. — Phil Huhn, May 26 '18 at 16:32
The remaining problems seem to be _**karma**_ related. Tracking the karma problems [here #2994](https://github.com/karma-runner/karma/issues/2994) — Phil Huhn, Jun 01 '18 at 16:25
I posted the solution that worked for me on this one https://stackoverflow.com/questions/50759164/npm-audit-fixes — Jesse, Jul 15 '18 at 23:39
I think #2994 is about to be cleared up, so I think I will wait. — Phil Huhn, Jul 17 '18 at 23:11

antzshrek · Answer 1 · 2018-08-08T05:14:41.650

3

You should runrm package-lock.json && npm update && npm install, if this still doesn't fix your issue, you can then continue by running npm ls hoek, which should gave you:

├─┬ fuse-box@3.3.0
│ └─┬ request@2.81.0
│   └─┬ hawk@3.1.3
│     ├─┬ boom@2.10.1
│     │ └── hoek@2.16.3
│     ├── hoek@2.16.3
│     └─┬ sntp@1.0.9
│       └── hoek@2.16.3
└── hoek@5.0.3

Check the version of hawk against the one on npm hawk, if it doesn't tally, run npm i hawk --save or npm i hoek@latest --save, then you should also run: npm i karma@latest --save, then npm audit After which I again ran my normal git commands:

git add .
git commit -m 'whatever_message'
git push

Then you can go back to Github, the security vulnerability should be fixed.

edited Aug 08 '18 at 05:14

answered Aug 08 '18 at 05:07

antzshrek

9,276
5
26
43

But if I clone your repo and run `npm i`, will the vulnerable versions of hoek be installed for me? Or does this solution eliminate that problem. I have taken similar steps to what you outline above, but have found that any fresh `npm install` brings the problem right back. – Ben Steward Aug 08 '18 at 05:13
**NOTE**: running `npm i` or `npm install` will only install all the version of dependencies specified in the `package.json` of whatever you're cloning. – antzshrek Aug 08 '18 at 05:16
1

The hoek problem, in this case, doesn't arise because of package.json settings, it persists because it is layers of dependencies deep in the node_modules. If Karma requires a certain version of Request, which requires an insecure version of hawk (or whatever), then every time `npm i` is run, those specific versions will be installed. I just took some time and tried to follow the steps you outlined, but the vulnerabilities are still there. If the package-lock.json is edited, will that cause the changes to persist across installs? – Ben Steward Aug 09 '18 at 03:17
Along the lines of this solution, you can also just manually add `hoek: ^5.0.3` in your `package.json` and run npm install, and push – Dakota Maker Aug 10 '18 at 15:17

Estus Flask · Answer 2 · 2018-08-15T02:44:43.317

This answer addresses similar hoek problem, and this answer explains non-vulnerability audit reports in detail.

npm audit reports possible problems. It's unnecessary that they are real problems that should be solved.

A nested dependency like karma > log4js > loggly > request > hawk > boom > hoek may require to fork numerous packages in dependency chain in case it has to be fixed.

Prototype pollution diagnosis indicates code smell. The reason why prototype pollution smells is that it can cause security problems. This is the reason why it's labeled as Moderate. It's unlikely that it causes any security risks in hoek package due to how it works, regardless of how the package is used (that's important as well).

Additionally, karma > log4js > loggly > request > hawk > boom > hoek dependency chain means that the problem occurs in development dependency. Most security problems are primarily applicable to dependencies that are used in production. This problem is specific to tests and Karma. It's virtually impossible it is a threat.

TL;DR: this is not a vulnerability. It has to be ignored. Any npm audit report should pass sanity check before any efforts to fix it will be made.

Which I don’t think is too terrible a thing, as it reminds us all to think a little deeper about our role in keeping our software secure. — Ben Steward, Aug 15 '18 at 05:09

score 1 · Accepted Answer · answered Sep 01 '18 at 01:03

1

I was patient and they fixed the problem:

npm update karma@latest

should work.

answered Sep 01 '18 at 01:03

Phil Huhn

3,307
3
18
35

How to get rid of the ‘hoek’ vulnerabilities

3 Answers3

Linked