Security: Upgrade boom and hawk to fix hoek

[JamesJansson]

Versions

v1.7.4

Repro steps

CLI currently uses old Boom and Hawk dependencies, which loads an old version of Hoek which is vulnerable.

Desired behavior

Upgrade to latest Boom and Hawk.

[literalpie]

Is there a temporary workaround for this? any way for a library that depends on CLI to protect itself from this vulnerability?

[hansl]

@literalpie we don't use it, directly or indirectly. NPM isn't smart enough to know this, so shows the vulnerability. For now it's simply a warning. We're working on it.

[spmsupun]

Is this fixed yet ?

[affilnost]

It has been fixed in this commit angular/devkit@c827938

So it's fixed only in v6.0.1 of devkit which corresponds to the v6.0.1 of "@angular/cli".

To have this issue fixed, you need to update "@angular/cli" to the v6.0.1. This means you'll have to update Angular to the v6.

@hansl I would also make this change (cherry-pick?) angular/devkit@c827938
in the earlier version of devkit (0.3.x) so that this bug is fixed in the older version of angular-cli (1.7.x) and people don't need to update everything to v6.0.1.

[ration]

I know it's not strictly an angular-cli problem but is it possible to make an Angular 6 app without pulling in the vulnerable hoek? angular-devkit/build-angular 0.6.1 still depends on node-sass 4.9.0 which pulls the old hoek version in.

[affilnost]

@ration The workaround for this (if you don't want to update Angular to v6) is to add this to your devDependencies in package.json:

"chokidar": "^2.0.3",
"less": "^3.0.2"

and check that you have there:

"karma": "~1.7.1",

or higer version.

And then remove node_modules to be sure and run:
npm install

As a result you'll have Hoek v4.2.1 (not vulnerable) installed.

[dimeloper]

@affilnost putting chokidar and less into the devDeps along with updating karma didn't work for me :/

[adambkaplan]

Potential regression - vulnerable lib still installed with @angular/cli@^6.0.3 running ng new-app

[affilnost]

In my case this commit solved the problem (update to Angular v6) affilnost/ngx-chartist@bfb6cff
I removed then node_modules and run npm install and it helped.
Now I have "hoek": "4.2.1".
Maybe it helps someone..

[Vishvang]

Upgrade boom and hawk to fix hoek : Was it fixed ?

[acoard]

I'm seeing the same as @adambkaplan.

> rm -rf node_modules/
> rm package-lock.json
> npm install
...
>npm ls hoek

──┬ @angular-devkit/build-angular@0.6.8
  └─┬ node-sass@4.9.0
    └─┬ request@2.79.0
      └─┬ hawk@3.1.3
        ├─┬ boom@2.10.1
        │ └── hoek@2.16.3  deduped
        ├── hoek@2.16.3
        └─┬ sntp@1.0.9
          └── hoek@2.16.3  deduped

This regression was reported 20 days ago. Is there any movement on this? Are maintainers aware of the regression?

[adambkaplan]

@hansl please reopen

[ration]

AFAIK node-sass was never fixed, so this was also never fixed.

> ng --version
Angular CLI: 6.0.8
> ng new my-dream-app
> cd my-dream-app
> npm install
> npm ls hoek
my-dream-app@0.0.0 C:\git\my-dream-app
`-- @angular-devkit/build-angular@0.6.8
  `-- node-sass@4.9.0
    `-- request@2.79.0
      `-- hawk@3.1.3
        +-- boom@2.10.1
        | `-- hoek@2.16.3  deduped
        +-- hoek@2.16.3
        `-- sntp@1.0.9
          `-- hoek@2.16.3  deduped

If I understand this sass/node-sass#2252 correctly it also wont be fixed?

[Goluxas]

GitHub's automated vulnerability checking is now finding and reporting this, both by email and on the repository page. Please reopen.

[ghost]

@ration I see them working on it for v5: sass/node-sass#2355

[ganeshsundaram39]

npm i hoek worked for me.

[ariawanzero]

anyone solve this warning or just ignore it?

[kayvanbree]

This is fixed in node-sass@4.9.1. Could Sass be upgraded?

[yeti-detective]

I don't know if this is a workaround or a rug to sweep it under, but if you git rm package-lock.json & install dependencies with yarn install instead GitHub doesn't seem to throw this warning.

[kmturley]

This seems to fix it:
npm install hoek@4.2.1

[BasPaap]

I'm still getting the vulnerable version of hoek with angular-cli 6.2.3 even after doing git rm package-lock.json and npm install:

`-- @angular/cli@6.2.3
  `-- @schematics/update@0.8.3
    `-- npm-registry-client@8.6.0
      `-- request@2.81.0
        `-- hawk@3.1.3
          +-- boom@2.10.1
          | `-- hoek@2.16.3  deduped
          +-- hoek@2.16.3
          `-- sntp@1.0.9
            `-- hoek@2.16.3  deduped

[rejoydominic1]

Can this issue be reopened? Looks like this still an issue

[remyce]

I'm getting the same issue despite trying to update and install the package manually.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}