Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vscode NPM module: Vulnerability alert for hoek < 5.0.3 #48783

Closed
gwicksted opened this issue Apr 26, 2018 · 26 comments

Comments

@gwicksted
Copy link

commented Apr 26, 2018

  • VSCode Version:1.1.14
  • OS Version:10.0.16299.0

Steps to Reproduce:

  1. Create a new plugin project referencing vscode
  2. Commit to github repo
  3. Receive vulnerability report from github due to github scanning package.json and package-lock.json indicating:
Known vulnerability found
CVE-2018-3728
Moderate severity
hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' ...

package-lock.json update suggested:
hoek ~> 5.0.3
Always verify the validity and compatibility of suggestions with your codebase.

Does this issue occur when all extensions are disabled?: Yes (N/A)

CVE-2018-3728

I'm not sure if this can be solved without third-party buy-in from the following (npm ls hoek):

`-- vscode@1.1.14
  +-- gulp-remote-src@0.4.3
  | `-- request@2.79.0
  |   `-- hawk@3.1.3
  |     +-- boom@2.10.1
  |     | `-- hoek@2.16.3
  |     +-- hoek@2.16.3
  |     `-- sntp@1.0.9
  |       `-- hoek@2.16.3
  `-- request@2.85.0
    `-- hawk@6.0.2
      +-- boom@4.3.1
      | `-- hoek@4.2.1
      +-- cryptiles@3.1.2
      | `-- boom@5.2.0
      |   `-- hoek@4.2.1
      +-- hoek@4.2.1
      `-- sntp@2.1.0
        `-- hoek@4.2.1  deduped

My plugin paste-escaped shows the github report

It is likely vscode itself has not been notified due to the use of yarn vs npm thus a different lockfile format.

@eamodio

This comment has been minimized.

Copy link
Member

commented Apr 26, 2018

I've seen the same alert from GitHub on all my extensions.

@westonedwards

This comment has been minimized.

Copy link

commented Apr 27, 2018

Same for me with several of my stuff- ideas on how to correct the issue?

@jsc215

This comment has been minimized.

Copy link

commented Apr 27, 2018

I am having the same exact issue. A google search led me here. Any solutions thus far?

@ICeZer0

This comment has been minimized.

Copy link

commented Apr 27, 2018

ditto! 😮

@justin-blankenship

This comment has been minimized.

Copy link

commented Apr 27, 2018

Same here.

@nnguy152

This comment has been minimized.

Copy link

commented Apr 27, 2018

Same!! What do

@papakay

This comment has been minimized.

Copy link

commented Apr 27, 2018

Same here. Please how do i resolve this?

@danlauby

This comment has been minimized.

Copy link

commented Apr 27, 2018

How does one update package-lock.json to the recommended version of hoek ~> 5.0.3?

@EmmanuelOgbewe

This comment has been minimized.

Copy link

commented Apr 27, 2018

Same!

@damianperera

This comment has been minimized.

Copy link

commented Apr 27, 2018

@dadlerj updating your NPM modules should automatically sync the package-lock.json file. Simply run npm update in your project root.

@JamesSingleton

This comment has been minimized.

Copy link

commented Apr 27, 2018

@damianperera even after running npm update my hoek version is at 4.2.0 even after removing the package-lock.json file, running npm update as well as npm install

@damianperera

This comment has been minimized.

Copy link

commented Apr 27, 2018

@JamesSingleton if hoek is being used by another module(s) that you installed via npm and not specifically by your project, you will need to wait until that module(s) is updated before issuing a npm update on your own project.

@llighter

This comment has been minimized.

Copy link

commented Apr 27, 2018

Same for me.

@JamesSingleton

This comment has been minimized.

Copy link

commented Apr 27, 2018

Hmm I wonder what else could be using it other than what is installed for the project... I have 5 projects with this notification. Thankfully they are older projects, but would like to get it updated.

@bpasero

This comment has been minimized.

Copy link
Member

commented Apr 27, 2018

This depends on request/request#2926 which we depend on.

@bpasero bpasero self-assigned this Apr 27, 2018
@bpasero bpasero added the extensions label Apr 27, 2018
@bpasero bpasero added this to the May 2018 milestone Apr 27, 2018
@bpasero bpasero changed the title Vulnerability alert for hoek < 5.0.3 vscode NPM module: Vulnerability alert for hoek < 5.0.3 Apr 27, 2018
@bpasero bpasero added the debt label Apr 27, 2018
@charmeem

This comment has been minimized.

Copy link

commented Apr 27, 2018

Instead of updating I tried:
npm i hoek
and it updated hoek to 5.0.3

@hunterlong

This comment has been minimized.

Copy link

commented Apr 27, 2018

+1

@JamesSingleton

This comment has been minimized.

Copy link

commented Apr 27, 2018

I took @charmeem idea a step further and it doesn't seem to have impacted anything. So I did npm i hoek which then created a new dependency in my package.json that wasn't there before. After that, I did npm uninstall hoek, npm update for good measure and then I did npm install and now I don't have the warning message.

Once again, I am not sure of the impact on this as I was still able to run my code and everything like that. I just mainly wanted to stop the notifications from GitHub on my older projects.

@TizioFittizio

This comment has been minimized.

Copy link

commented Apr 27, 2018

I followed @JamesSingleton steps and its worked for me, now github marks the vulnerability in my repo as resolved

@JamesSingleton

This comment has been minimized.

Copy link

commented Apr 27, 2018

@TizioFittizio just keep in mind that it removes hoek from your package-lock.json. However, some other stuff will have it as a dependency for later version... I think I saw one that had a dependency of hoek 2.2. But like I said, I'm not entirely sure what it's used for as my app was still able to run just fine.

@llighter

This comment has been minimized.

Copy link

commented Apr 27, 2018

I also followed the @JamesSingleton steps.
It's worked for me too.

@bpasero

This comment has been minimized.

Copy link
Member

commented Apr 27, 2018

Moving into microsoft/vscode-extension-vscode#106 where it belongs.

@bpasero bpasero closed this Apr 27, 2018
@bpasero bpasero removed this from the May 2018 milestone Apr 27, 2018
@sheldonfish

This comment has been minimized.

Copy link

commented May 2, 2018

worked for me with @JamesSingleton 's solution (npm i hoek, npm uninstall hoek, npm update, npm install). Thanks!
👍

xianmin added a commit to xianmin/hugo-theme-jane that referenced this issue May 3, 2018
skmdev added a commit to skmdev/koa-decorator-ts that referenced this issue May 3, 2018
@oscar-gomez

This comment has been minimized.

Copy link

commented May 5, 2018

I followed @JamesSingleton steps and worked for me, thanks!!

@usmanaliqureshi

This comment has been minimized.

Copy link

commented May 9, 2018

Another alternative way is to use npm audit which will display all the vulnerable / out-dated dependencies in your package.json or package-lock.json and then you can simply follow the instructions shown along with the other information by the audit.

iocron added a commit to iocron/typo3-gulp-scss that referenced this issue May 31, 2018
Dependency (Hapijs / Hoek, currently v2.16.3) Security Issue / Fix:

hoek node module before 5.0.3 or 4.2.1 suffers from a Modification of Assumed-Immutable Data (MAID)

microsoft/vscode#48783
https://nvd.nist.gov/vuln/detail/CVE-2018-3728
@boompah

This comment has been minimized.

Copy link

commented Jun 4, 2018

Thanks @JamesSingleton really appreciate it! Followed the steps and it worked.

@vscodebot vscodebot bot locked and limited conversation to collaborators Jun 11, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.