-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: Prototype pollution attack(Introduced by the request@2.79.0 => hawk@3.1.3 => hoek@2.16.3) #2288
Comments
Duplicate of a bunch of existing tickets. See #2355 for the new general tracking issue |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
If you desperately need to work around this issue you can install
node-sass@4.7.0 exactly. It is the last version before we locked down the
request version range.
…On Sat., 28 Apr. 2018, 12:44 am Michael Mifsud, ***@***.***> wrote:
The API hasn't stabilised yet
On Sat., 28 Apr. 2018, 12:06 am Jamie McElwain, ***@***.***>
wrote:
> Any chance we get the v5 branch on npm as ***@***.***?
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#2288 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAjZWJX7MMblRppAxXtOqYhJxTpWe0Svks5tsyXUgaJpZM4Sq3ob>
> .
>
|
Okay I fixed my issue, ty @xzyfer for your suggestion - but due my own package.lock needing My SolutionFixed by updating all first level Now no security error 🎉 👍 |
- hoek security dependency problem - sass/node-sass#2288
- hoek security dependency problem - sass/node-sass#2288
This comment has been minimized.
This comment has been minimized.
----- It is inappropriate to include political and offensive content in public code repositories. Public code repositories should be neutral spaces for collaboration and community, free from personal or political views that could alienate or discriminate against others. Political content, especially that which targets or disparages minority groups, can be harmful and divisive. It can make people feel unwelcome and unsafe, and it can create a hostile work environment. Please refrain from adding such content to public code repositories.
The latest version node-sass@4.7.2 uses request@~2.79.0. However, request@~2.79.0 has a vulnerability which is introduced by hoek@2.16.3. More information is here:
https://nodesecurity.io/advisories/566
https://snyk.io/vuln/npm:hoek:20180212
Could you please update request to the latest version to solve the vulnerability? Thank you so much.
npm -v
): 5.4.2node -v
): v8.8.1node -p process.versions
):node -p process.platform
): darwinnode -p process.arch
): x64node -p "require('node-sass').info"
):npm ls node-sass
):The text was updated successfully, but these errors were encountered: