Botkit hoek vulnerability

Question

I cannot figure out how to update a dependent package included in Botkit. After running npm install on the package.json below. Npm warns that the hoek package is vulnerable. I've tried running npm audit fix with no resolution. When I run npm ls hoek it shows botkit installed hoek@2.16.3. I don't see why it would install an out of date version.

//package.json
{
  "name": "deleteme",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "botkit": "^0.6.16"
  }
}

score 0 · Answer 1 · answered Aug 08 '18 at 21:56

0

From the npm documentation:

As of npm@2.6.1, the npm update will only inspect top-level packages. Prior versions of npm would also recursively inspect all dependencies. To get the old behavior, use npm --depth 9999 update.

See more details here: https://docs.npmjs.com/cli/update

answered Aug 08 '18 at 21:56

hcs

321
3
14

No luck. Ran `npm --depth 9999 update`. `npm ls hoek` still shows 2.16.3 – MikeV Aug 09 '18 at 14:39

Botkit hoek vulnerability

1 Answers1