[SECURITY] Please FIX vulnerabilities!

[Bizarrus]

=== npm audit security report ===


								 Manual Review
			 Some vulnerabilities require your attention to resolve

		  Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > cryptiles > boom >
				  hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

found 4 moderate severity vulnerabilities in 6455 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

[xzyfer]

See nodejs/node-gyp#1492

[bardware]

I don't know what I'm doing wrong but I keep getting the error

PC-006% npm i -D node-sass
npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://nodesecurity.io/advisories?search=hoek&version=2.16.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

I deleted node_modules folder, package-lock.json and the cache folder.
At every install the "broken" hoek version is retrieved.
I tried on Windows and on WSL Ubuntu - no difference.

[nschonni]

What version are you running? This seems like a duplicate of #2355 which is resolved by updating to 4.9.1

[xzyfer]

@bardware the answer is literally in the comment above yours. Please read issues before posting.

[bardware]

Please believe me, I'm following this issue for quite some time, as github keeps notifying me about this. I read issues; i posted on 2355.
It is my understanding and expectation version 4.9.1 changed dependencies and rid hoek.
When I call npm i -D node-sass I expect it to install the latest/fixed ("silenced") version.

[xzyfer]

As explained in #2355 and this issue (again). We have updated request which had a dependency on heok. However one of our dependencies (node-gyp) is also locked to an older version of request because they too cannot break backward compatibility.

There is an open PR (linked above) to bump that dependency as we did to a version of request that removes hoek whilst maintaining BC.

All of this information was present in the issues you read. Please direct your enthusiasm at the node-gyp PR linked above.

[Berkmann18]

Neither both v4.7.x (suggest in the other issue although v4.7.0 doesn't exist) and v4.9.1 fixes this issue. I still get the 4 moderate severity vulnerabilities.
None of the solutions in #2355 work.

Hopefully the node-gyp team will merge the PR nodejs/node-gyp#1492 and this should be easier to fix.

[Berkmann18]

@nschonni Why did you closed this issue which is still a problem?

[xzyfer]

It's closed because there is nothing we can do. We have summarized the issue multiple times. People insist on not bothering to read the issue and post their opinion.

There is no further discussion to had on this topic. It's out of our control. Read the prior couple comments.