hapijs / hoek

Node utilities shared among the extended hapi universe
Other
480 stars 171 forks source link

npm audit Moderate Prototype pollution #266

Closed robeverett closed 6 years ago

robeverett commented 6 years ago

This is after I type npm audit in the command prompt, I get this twenty times:

Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of npm Path npm > libcipm > npm-lifecycle > node-gyp > request > hawk > boom > hoek More info https://nodesecurity.io/advisories/566

robeverett commented 6 years ago

https://nodesecurity.io/advisories/566

This tells me to update to 4.2.1 or 5.0.3 or later. How do you do that ?

PhuruShekar commented 6 years ago

I'm having the same problem, i'm on version 5.0.3 and get similar errors

Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > boom > hoek More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > cryptiles > boom > hoek More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > hoek More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution Package hoek Patched in > 4.2.0 < 5.0.0 || >= 5.0.3 Dependency of gulp-sass [dev] Path gulp-sass > node-sass > node-gyp > request > hawk > sntp > hoek More info https://nodesecurity.io/advisories/566

found 4 moderate severity vulnerabilities in 19523 scanned packages 4 vulnerabilities require manual review. See the full report for details.

that's the errors i keep getting.

PhuruShekar commented 6 years ago

To update, you just have to do npm i --save-dev hoek that will update hoek to 5.0.3. however that doesn't fix the problem

WesTyler commented 6 years ago

however that doesn't fix the problem

The problem has already been fixed in Hoek. The problem now is that your versions of npm and gulp-sass need to be updated so that they are not using out-of-date versions of Hoek.

For gulp-sass, their latest version has some extremely stale dependemcies:

└─┬ gulp-sass@4.0.1
  └─┬ node-sass@4.9.2
    └─┬ node-gyp@3.7.0
      └─┬ request@2.81.0
        └─┬ hawk@3.1.3
          ├─┬ boom@2.10.1
          │ └── hoek@2.16.3  deduped
          ├── hoek@2.16.3
          └─┬ sntp@1.0.9
            └── hoek@2.16.3

With npm it appears node-gyp > request > hawk > sntp > hoek is again the bottleneck. For what it's worth I followed up and the path to hoek@2.x has been removed entirely in node-gyp@4.0.0 over a month ago.

npm@5.6.0
├─┬ npm-lifecycle@2.0.3
│ └─┬ node-gyp@3.7.0
│   └─┬ request@2.81.0
│     └─┬ hawk@3.1.3
│       ├─┬ boom@2.10.1
│       │ └── hoek@2.16.3  deduped
│       ├── hoek@2.16.3
│       └─┬ sntp@1.0.9
│         └── hoek@2.16.3  deduped

Honestly it looks like the holdup here is specifically the node-gyp@3.x.x release line. The latest version, 3.7.0, is limiting request@<2.82.0 here. Request, in its part, removed hawk (and therefore the stale version of Hoek) in version 2.87.0. So it seems (without digging through anymore codebases I am unfamiliar with) that node-gyp version 3 needs a patch to use request 2.87.0, or npm-lifecycle and node-sass need to update to node-gyp@4.0.0

At any rate, there's nothing the maintainers on Hoek can do at this point, so I'm going to go ahead and close this.

WesTyler commented 6 years ago

Also, for what it's worth, I opened a PR to node-gyp's 3.x line here, so with any luck this continuing problem will go away...

lock[bot] commented 4 years ago

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.