search

adunkman / dc311rn.com

Quickly check the status of a DC 311 service request
https://www.dc311rn.com
MIT License
6 stars 0 forks source link

CVE-2018-3728: Moderate Security Vulnerability in hoek #11

Closed adunkman closed 5 years ago

adunkman commented 6 years ago

CVE-2018-3728:

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

adunkman commented 6 years ago

12 didn’t actually fix this — there seems to be some package which needs to be updated first. I wasn’t immediately able to find the culprit.

adunkman commented 6 years ago

This is waiting on a new version of node-sass (https://github.com/sass/node-sass/issues/2355) — the maintainer is on vacation. Since we only load node-sass during our build step, this is not critical to update.

adunkman commented 5 years ago

Fixed in #38.