New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hoek node module vulnerability (CVE-2018-3728) defined in jane/package-lock.json #50

Open
MaxdSre opened this Issue May 2, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@MaxdSre
Contributor

MaxdSre commented May 2, 2018

https://nvd.nist.gov/vuln/detail/CVE-2018-3728

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

file jane/package-lock.json

    "hoek": {
      "version": "2.16.3",
      "resolved": "http://registry.npm.taobao.org/hoek/download/hoek-2.16.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true
    }

2018-05-02_12-37-17
2018-05-02_12-39-38

@xianmin

This comment has been minimized.

Owner

xianmin commented May 3, 2018

I have updated the npm packages and package-lock.json. I'm not sure if this problem is fixed.

@Zebradil

This comment has been minimized.

Collaborator

Zebradil commented May 3, 2018

Still have

        "hoek": {
          "version": "2.16.3",
          "resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
          "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
          "dev": true
        },

This version is required by hawk, sntp and boom packages. Not sure if we really can avoid these dependencies.

@xianmin

This comment has been minimized.

Owner

xianmin commented May 3, 2018

Related issue:

sass/node-sass#2355

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment