Less.js: Request dependency causes security risk

Created on 2 Mar 2018 · 8Comments · Source: less/less.js

We are seeing security issues related to a vulnerability in request due to it's reliance on hawk which uses the vulnerable hoek. I am opening up this issue so that when request updates to v7.x.x of hawk, less can be updated.

[email protected] > [email protected] > [email protected] > [email protected]

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439

Source

lyndsey-ferguson

Most helpful comment

I personally would prefer to keep this open and resolve the ticket once this future PR is merged. People finding this issue would then see it open and not create another issue.

lyndsey-ferguson on 2 Mar 2018

👍3

All 8 comments

Please just create a PR when this happens.

seven-phases-max on 2 Mar 2018

I'll keep my eye out for it and create that PR

lyndsey-ferguson on 2 Mar 2018

Closing to not keep thing piling up.

seven-phases-max on 2 Mar 2018

I personally would prefer to keep this open and resolve the ticket once this future PR is merged. People finding this issue would then see it open and not create another issue.

lyndsey-ferguson on 2 Mar 2018

👍3

Could be or could be not. So far nothing can be done at the Less side so this is not even an issue at this repo (I have to close every ~second issue here as a dupicate anyway so this is not a problem at all, as well as not a problem to re-open one when it becomes applicable).

seven-phases-max on 2 Mar 2018

@seven-phases-max The dependency on request was updated in https://github.com/less/less.js/commit/bd2a93f7b9879b0c3fff29d7904512eedffa1f72#diff-b9cfc7f2cdf78a7f4b91a753d10865a2 which brings in a non-vulnerable version. However, [email protected] has yet to be released in npm form. Is there a plan to release this to npm?

hughns on 18 Apr 2018

Actually, this should probably be considered a duplicate of https://github.com/less/less.js/issues/3169

hughns on 18 Apr 2018

@hughns If this addresses the plugin issue, then 3.0.3 can be published soon - https://github.com/less/less.js/pull/3200. Just waiting on review from @seven-phases-max. More collaborators for Less are always welcome!