Potential security vulnerability via hoek

[dbaeumer]

See https://github.com/Microsoft/vscode-languageserver-node/network/dependencies

I get this in vscode-languageserver-node which has a dependency on vscode which then via n levels has a dependency on hoek. Do we need to update something?

[bpasero]

microsoft/vscode#48783

[bpasero]

Actually lets close the other one as duplicate of this one.

[bpasero]

This depends on request/request#2926 which we depend on.

[DanTup]

Based on this comment it might be gulp-remote-src using an old version of request which results in an old version of hoek. I think the latest version of request depends on a version of hoek that is not vulnerable based on the comments in the related cases.

[bpasero]

@DanTup I was assuming the security issue is for any hoek version < 5, which would mean even the latest request version does not fix it?

[DanTup]

The fix was apparently ported back to the latest v4 release. Some comments at hapijs/hoek#230 (comment) about it.

[DanTup]

This looks like the fix in v4.2.1: https://github.com/hapijs/hoek/blob/v4.2.1/lib/index.js#L116-L118

[bpasero]

@DanTup this needs to bubble to GitHub though that still recommends 5.x:

[DanTup]

Yeah, the CVE page still says that and I guess GH gets its data from there. Once that's fixed, I think gulp-remote-src will still need addressing though. I guess they'll have had an alert the same as us all though!

[bpasero]

@DanTup it looks like gulp-remote-src is not compatible with latest request, so either they need to fix it or we have to move to another library for this.

[DanTup]

Yeah. I've opened ddliu/gulp-remote-src#16 to prompt them; though I suspect they had an alert from GH too.

[bpasero]

@DanTup thanks

[gwicksted]

Just an FYI that hoek 4.2.1 has been deemed not vulnerable (request comment) so it looks like the request group is going with that version to keep node 4 compatibility. Hopefully GitHub will detect that as a safe version instead of only hoek ~> 5.0.3.

[joaomoreno]

@egamma pinged me about this, since there are extensions out there flagging up as having a security vulnerability.

This repository also got the warning as soon as I pushed a package-lock.json.

I've created a PR for gulp-remote-src: ddliu/gulp-remote-src#17. Let's hope they take it.

Meanwhile, I've also forked that repo with the fix, published it to npm as gulp-remote-src-vscode and updated vscode to depend on that instead of the official module. I've pushed that change to master and now the vulnerability is gone. If gulp-remote-src takes the change, we can change back our dependency to it.

@bpasero Please review and test the current master. If good, simply publish a new version, so extensions can start fixing their vulnerability warnings.

[bpasero]

Thanks, released 1.1.17 of vscode module.