Potential security vulnerability via hoek
atiplea opened this issue · 0 comments
atiplea commented
Problem
vscode-psl uses hoek 4.2.0, which is vulnerable to CVE-2018-3728 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3728). This stems from the dependency of vscode@1.1.10.
`-- vscode@1.1.10
+-- gulp-remote-src@0.4.3
| `-- request@2.79.0
| `-- hawk@3.1.3
| +-- boom@2.10.1
| | `-- hoek@2.16.3
| +-- hoek@2.16.3
| `-- sntp@1.0.9
| `-- hoek@2.16.3
`-- request@2.83.0
`-- hawk@6.0.2
+-- boom@4.3.1
| `-- hoek@4.2.0 # vulnerable
+-- cryptiles@3.1.2
| `-- boom@5.2.0
| `-- hoek@4.2.0 # vulnerable
+-- hoek@4.2.0 # vulnerable
`-- sntp@2.1.0
`-- hoek@4.2.0 # vulnerable
Solution
Upgrade to vscode@1.1.17 which utilizes a patched hoek@4.2.1.
`-- vscode@1.1.17
`-- request@2.85.0
`-- hawk@6.0.2
+-- boom@4.3.1
| `-- hoek@4.2.1 # patched
+-- cryptiles@3.1.2
| `-- boom@5.2.0
| `-- hoek@4.2.1 # patched
+-- hoek@4.2.1
`-- sntp@2.1.0
`-- hoek@4.2.1 # patched