Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

[SECURITY] Please FIX vulnerabilities! #2443

Closed
Bizarrus opened this issue Jul 9, 2018 · 9 comments
Closed

[SECURITY] Please FIX vulnerabilities! #2443

Bizarrus opened this issue Jul 9, 2018 · 9 comments

Comments

@Bizarrus
Copy link

Bizarrus commented Jul 9, 2018

=== npm audit security report ===


								 Manual Review
			 Some vulnerabilities require your attention to resolve

		  Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > cryptiles > boom >
				  hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

found 4 moderate severity vulnerabilities in 6455 scanned packages
  4 vulnerabilities require manual review. See the full report for details.
@xzyfer
Copy link
Contributor

xzyfer commented Jul 9, 2018

See nodejs/node-gyp#1492

@bardware
Copy link

bardware commented Jul 9, 2018

I don't know what I'm doing wrong but I keep getting the error

PC-006% npm i -D node-sass
npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://nodesecurity.io/advisories?search=hoek&version=2.16.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

I deleted node_modules folder, package-lock.json and the cache folder.
At every install the "broken" hoek version is retrieved.
I tried on Windows and on WSL Ubuntu - no difference.

@nschonni
Copy link
Contributor

nschonni commented Jul 9, 2018

What version are you running? This seems like a duplicate of #2355 which is resolved by updating to 4.9.1

@xzyfer
Copy link
Contributor

xzyfer commented Jul 9, 2018

@bardware the answer is literally in the comment above yours. Please read issues before posting.

@bardware
Copy link

Please believe me, I'm following this issue for quite some time, as github keeps notifying me about this. I read issues; i posted on 2355.
It is my understanding and expectation version 4.9.1 changed dependencies and rid hoek.
When I call npm i -D node-sass I expect it to install the latest/fixed ("silenced") version.

@xzyfer
Copy link
Contributor

xzyfer commented Jul 10, 2018

As explained in #2355 and this issue (again). We have updated request which had a dependency on heok. However one of our dependencies (node-gyp) is also locked to an older version of request because they too cannot break backward compatibility.

There is an open PR (linked above) to bump that dependency as we did to a version of request that removes hoek whilst maintaining BC.

All of this information was present in the issues you read. Please direct your enthusiasm at the node-gyp PR linked above.

@Berkmann18
Copy link

Berkmann18 commented Jul 22, 2018

Neither both v4.7.x (suggest in the other issue although v4.7.0 doesn't exist) and v4.9.1 fixes this issue. I still get the 4 moderate severity vulnerabilities.
None of the solutions in #2355 work.

Hopefully the node-gyp team will merge the PR nodejs/node-gyp#1492 and this should be easier to fix.

@Berkmann18
Copy link

@nschonni Why did you closed this issue which is still a problem?

@sass sass deleted a comment from Bizarrus Jul 24, 2018
@xzyfer
Copy link
Contributor

xzyfer commented Jul 24, 2018

It's closed because there is nothing we can do. We have summarized the issue multiple times. People insist on not bothering to read the issue and post their opinion.

There is no further discussion to had on this topic. It's out of our control. Read the prior couple comments.

@sass sass locked as too heated and limited conversation to collaborators Jul 24, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants