1

I'm participating an Open Source project which currently uses phantom.js as a dev dependency. npm audit shows that phantom.js has 13 vulnerabilites and some dependency chains are somewhat long:

  Moderate        Prototype Pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   phantomjs [dev]

  Path            phantomjs > request > hawk > sntp > hoek

  More info       https://npmjs.com/advisories/566

I'm thinking of suggesting some updates to phantomjs and the underlaying packages, but the info provided by npm audit is not that helpful:

  • they suggest that hoek 5.0.3 or later would be nice,
  • but they don't show what version of sntp is used,
  • and if there is a later version of sntp which uses a secure version of hoek,
  • and the same for hawk and request

It may be true that updating request to some newer version will fix the vulnerability of phantomjs at once, without suggesting any updates to hawk, sntp or hoek, but figuring that sounds like a lot of manual work. Are there any tools that help finding the shortest possible way to fix a reported vulnerability?
(I understand that blind updating may actually introduce new bugs/other vulnerabilities, but at least we could get a suggestion how to proceed)

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
YakovL
  • 7,557
  • 12
  • 62
  • 102

0 Answers0