Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: Prototype pollution attack(Introduced by the request@2.79.0 => hawk@3.1.3 => hoek@2.16.3) #2288

Closed
MichaelTsengLZ opened this issue Mar 14, 2018 · 8 comments
Closed

Security issue: Prototype pollution attack(Introduced by the request@2.79.0 => hawk@3.1.3 => hoek@2.16.3) #2288

MichaelTsengLZ opened this issue Mar 14, 2018 · 8 comments

Comments

@MichaelTsengLZ
Copy link

MichaelTsengLZ commented Mar 14, 2018
edited
Loading

The latest version node-sass@4.7.2 uses request@~2.79.0. However, request@~2.79.0 has a vulnerability which is introduced by hoek@2.16.3. More information is here:

https://nodesecurity.io/advisories/566
https://snyk.io/vuln/npm:hoek:20180212

Could you please update request to the latest version to solve the vulnerability? Thank you so much.

  • NPM version (npm -v): 5.4.2
  • Node version (node -v): v8.8.1
  • Node Process (node -p process.versions):
{ 
  http_parser: '2.7.0',
  node: '8.8.1',
  v8: '6.1.534.42',
  uv: '1.15.0',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  modules: '57',
  nghttp2: '1.25.0',
  openssl: '1.0.2l',
  icu: '59.1',
  unicode: '9.0',
  cldr: '31.0.1',
  tz: '2017b' 
}
  • Node Platform (node -p process.platform): darwin
  • Node architecture (node -p process.arch): x64
  • node-sass version (node -p "require('node-sass').info"):
node-sass	4.7.2	(Wrapper)	[JavaScript]
libsass  	3.5.0.beta.2	(Sass Compiler)	[C/C++]
  • npm node-sass versions (npm ls node-sass):
cla-assistant@1.4.1 /Users/microsoft/Michael/MicrosoftRepo/cla/cla-assistant
└─┬ node-sass-middleware@0.11.0
  └── node-sass@4.7.2
@nschonni
Copy link
Contributor

nschonni commented Mar 14, 2018
edited
Loading

Duplicate of a bunch of existing tickets. See #2355 for the new general tracking issue

@xzyfer xzyfer mentioned this issue Mar 24, 2018
Closed
@alex-kovoy alex-kovoy mentioned this issue Apr 26, 2018
Closed
@philwareham

This comment has been minimized.

Sign in to view
@asommer70

This comment has been minimized.

Sign in to view
@jgmcelwain

This comment has been minimized.

Sign in to view
@xzyfer

This comment has been minimized.

Sign in to view
@xzyfer
Copy link
Contributor

xzyfer commented Apr 27, 2018 via email

@EmilyRosina
Copy link

EmilyRosina commented Apr 27, 2018
edited
Loading

Okay I fixed my issue, ty @xzyfer for your suggestion - but due my own package.lock needing request version range, and every time I tried to install node-sass@4.7.0 it kept denying me, something about other packages relying on dependencies of node-sass or request.. not sure as can't seem to find the error within the window now 😭

My Solution

Fixed by updating all first level package.lock dependencies that have their own dependency of hoek somewhere down the chain, fixed for all apart from node-sass which had to use @asommer70's suggestion.

Now no security error 🎉 👍

@noraj noraj mentioned this issue Apr 27, 2018
Closed
@jgravois jgravois mentioned this issue Apr 27, 2018
Merged
6 tasks
@paulschreiber paulschreiber mentioned this issue Apr 27, 2018
Closed
@justlevine justlevine mentioned this issue Apr 30, 2018
Closed
EmilyRosina added a commit to EmilyRosina/hub that referenced this issue May 1, 2018
@EmilyRosina
Update node-sass
c97f751 
- hoek security dependency problem
- sass/node-sass#2288
EmilyRosina added a commit to EmilyRosina/hub that referenced this issue May 1, 2018
@EmilyRosina
Update packages + node-sass
4f518f9 
- hoek security dependency problem
- sass/node-sass#2288
@theenoahmason theenoahmason mentioned this issue May 1, 2018
Closed
@thomasplevy thomasplevy mentioned this issue May 2, 2018
Closed
@deep-c deep-c mentioned this issue May 5, 2018
Closed
rmvgaines added a commit to community-web-service/gulp-sass that referenced this issue May 9, 2018
@rmvgaines
Fix NPM Security Warnings
17336da 
sass/node-sass#2288
@paulschreiber paulschreiber mentioned this issue May 18, 2018
Closed
@NetOpWibby NetOpWibby mentioned this issue May 23, 2018
Closed
@magnusriga

This comment has been minimized.

Sign in to view
@kaermorchen kaermorchen mentioned this issue May 24, 2018
Closed
@sass sass locked as off-topic and limited conversation to collaborators May 28, 2018
Friendly-users referenced this issue in Friendly-users/node-sass Jul 9, 2024
@Friendly-users
No politics or offense in public code.
75139ea 
-----
It is inappropriate to include political and offensive content in public code repositories.

Public code repositories should be neutral spaces for collaboration and community, free from personal or political views that could alienate or discriminate against others. Political content, especially that which targets or disparages minority groups, can be harmful and divisive. It can make people feel unwelcome and unsafe, and it can create a hostile work environment.

Please refrain from adding such content to public code repositories.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@jgmcelwain @philwareham @xzyfer @nschonni @asommer70 @MichaelTsengLZ @EmilyRosina @magnusriga