Github potential security vulnerability error for hoek node module

Question

Today github is showing following error on my github repository:

We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.

On clicking on Review vulnerable dependency button following message was displayed:

hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'

Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.

Answer 1

I used: rm package-lock.json && npm update && npm install. For me this updated hoek to 4.2.1, which also contains the fix (per this comment.)

Edit: In another app, I ran rm package-lock.json and either npm i hoek && npm up && npm i && npm un hoek or npm i hoek && npm un hoek && npm up && npm i (can't recall order), which is more aligned with this comment (from JamesSingleton).

(rm package-lock.json is only if it exists.)

Edit: In yet a 3rd app, I checked npm outdated and found I had to upgrade react-scripts-ts from 2.13.0 to 2.15.1. For this, I updated the package.json manually, then just ran npm i. Once done, hoek updated to 4.2.1. (specifically targeting that one holdout/primary component).

Edit: My solution for a Zurb Foundation 6 Site:

I updated all my packages to their major versions using npm outdated. I then ran:

npm i hoek@latest --save && npm up hoek

npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save

There were two holdouts; browser-sync : 2.23.7 and node-sass : 4.9.0, both at their latest versions. No matter: the GitHub warning resolved after commit.