Hi there!
We are getting reports in our pipeline and local development machines of two minor/moderate security issues caused by the hoek
library, nodesecurity.io - nodesecurity Resources and Information.. Below I’ve added the exact report of both issues. I see that the affected hoek
library is included by an older joi
version, which is then included by Expo’s xdl
library. The full dependency chain is this:
<our-project>
└─┬ exp@54.0.0
└─┬ xdl@50.0.0
└─┬ joi@10.6.0
└── hoek@4.2.1
Because npm@6
is now shipped with a build in security check on every install, and of course the newly added npm audit
script, it’s maybe a good idea to try and resolve this issue? As far as I can tell, this is fixable by upgrading Expo’s xdl
dependency of joi
to ^13
. In this version the patched hoek@>5
version is referenced (https://github.com/hapijs/joi/blob/v13.0.0/package.json).
I can make a PR for xdl
if it helps. I’m not sure what this upgrade means regarding breaking changes. Luckily the devs of joi
do have a clear changelog using their github issues. Unfortunately I can’t mention them because of the url limit here. But you can see them by listing all issues with the release notes
label.
Let me know if I can do anything to help!
Cheers!
Cedric
The actual report output
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native-scripts > xdl > jsonwebtoken > joi > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native-scripts > xdl > jsonwebtoken > joi > topo > │
│ │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘