Security vulnerability through outdated version of hoek · Issue #950 · TryGhost/node-sqlite3 · GitHub
Skip to content
This repository was archived by the owner on Jul 1, 2026. It is now read-only.
This repository was archived by the owner on Jul 1, 2026. It is now read-only.

Security vulnerability through outdated version of hoek #950

Description

@SebastianSchmidt

node-sqlite3 is dependent on an outdated version of hoek (through the node-pre-gyp package), which has a security vulnerability.

sqlite3@3.1.13 › node-pre-gyp@0.6.39 › hawk@3.1.3 › hoek@2.16.3
sqlite3@3.1.13 › node-pre-gyp@0.6.39 › hawk@3.1.3 › boom@2.10.1 › hoek@2.16.3
sqlite3@3.1.13 › node-pre-gyp@0.6.39 › hawk@3.1.3 › cryptiles@2.0.5 › boom@2.10.1 › hoek@2.16.3
sqlite3@3.1.13 › node-pre-gyp@0.6.39 › hawk@3.1.3 › sntp@1.0.9 › hoek@2.16.3
sqlite3@3.1.13 › node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › sntp@1.0.9 › hoek@2.16.3
sqlite3@3.1.13 › node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › hoek@2.16.3
sqlite3@3.1.13 › node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › cryptiles@2.0.5 › boom@2.10.1 › hoek@2.16.3
sqlite3@3.1.13 › node-pre-gyp@0.6.39 › request@2.81.0 › hawk@3.1.3 › boom@2.10.1 › hoek@2.16.3

The latest version of node-pre-gyp uses a version of hoek that fixes the vulnerability. The latest version of node-pre-gyp (0.7.0) no longer supports Node 0.10 and 0.14. However, Node 0.10 and 0.14 are no longer supported, so I think it's justifiable if node-sqlite3 also does not support these versions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions