Upgrade needed for packages with dependencies of "hoek": "2.16.3" Security issue as marked by github

[ganeshkbhat]

If hawk, sntp, boom (one package dependency) cryptiles used for angular cli project? It has a security vulnerability for "hoek": "2.16.3" highlighted by github. Can you check the same? Hopefully its not used in any compiler and it might be a minor issue. Github does not mention issue severity.

Versions

OS Ubuntu 17.10 Artful

Angular CLI: 6.0.1
Node: 9.11.1
OS: linux x64
Angular: 6.0.1
... animations, cli, common, compiler, compiler-cli, core, forms
... http, language-service, platform-browser
... platform-browser-dynamic, router, service-worker

Package                           Version
-----------------------------------------------------------
@ angular-devkit/architect         0.6.1
@ angular-devkit/build-angular     0.6.1
@ angular-devkit/build-optimizer   0.6.1
@ angular-devkit/core              0.6.1
@ angular-devkit/schematics        0.6.1
@ angular/pwa                      0.6.1
@ ngtools/webpack                  6.0.1
@ schematics/angular               0.6.1
@ schematics/update                0.6.1
rxjs                              6.1.0
typescript                        2.7.2
webpack                           4.6.0

Repro steps

No Steps. CLI dependencies

Observed behavior

NA

Desired behavior

Upgrade packages using hoek to v4.x.x

Mention any other details that might be useful (optional)

NA

[Asone]

It seems that the package is installed through the following dependency tree :
@devkit/angular-build > node-sass > node-gyp > request > hawk

The vulnerability has been fixed in hoek but it seems that some packages of the tree are not up-to-date with their dependencies.

More over, as v2.16.3 was released in 2015, it's been the last of the major version and latest version is now v5.

Here is the state of each dependency :

Dependency	used version	last version	fixed	issue	PR
angular-devkit/build-angular	0.7.0-rc.3	0.7.0-rc.3	No	No	No
node-sass	4.9.2	4.9.2	Yes		2435
node-gyp	3.7.0	3.7.0	No		1471
request	2.75.0	2.87.0	No	2893
hawk	3.1.3	3.1.3	No	242

quick & dirty fix is to try updating from your own package.json the hoek version. I tried last version on an ionic 4 & angular 6 project, and it seems to run fine. if needed, here is the package.json file
used.

A quick implementation would be to add angular-devkit/build-angular the version control itself. Otherwise await for sub-dependencies brings update that fixes it.

[ganeshkbhat]

This should be fine. I can update related packages.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}