After running npm audit
I have (this is just one of) a moderate warning
Moderate │ Prototype pollution
Package │ hoek
Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of │ karma
Path | karma > log4js > loggly > request > hawk > sntp > hoek
I can see that hoek
is a dependency of karma (further down the chain). Looking at the Karma repo on GitHub I can see that this has been raised but no immediate fix has been prioritised.
Is this something that we just have to accept for now until they have updated their dependencies or can we tell our application to use a more recent version of hoek
and apply to all packages?
The problem is that loggly
hasn't be updated for a long time and is hard-coded to request
version that uses hoek
version with specified vulnerability. There is open issue.
Considering a role of hoek
package here, it's unlikely that it causes real security issue.
From a user's perspective, it's possible to fix security issue by using a branch where this dependency is fixed, e.g. this pull request:
"karma": "^2.0.2",
"loggly": "github:winstonjs/node-loggly#pull/79/head"
Since loggly
branch version matches constraints in log4js
, this replaces original loggly
with fixed one (possibly requires to purge node_modules
to take effect).
This causes
400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
error for npm audit
, so it likely should be left as is for now.
You can npm install the fixed version of the dependency from a pull request or a commit.
E.g.
npm install github:winstonjs/node-loggly#pull/79/head
Then delete the added line in package.json e.g. "loggly": "github:winstonjs/node-loggly#pull/79/head"
In package-lock.json search for loggly and where it shows "version": "<some git url>"
, delete the url and replace it with the appropriate version number e.g "1.1.1".