Node-sass: [SECURITY] Please FIX vulnerabilities!

Created on 9 Jul 2018  路  9Comments  路  Source: sass/node-sass 
=== npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > cryptiles > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   node-sass [dev]

  Path            node-sass > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

found 4 moderate severity vulnerabilities in 6455 scanned packages
  4 vulnerabilities require manual review. See the full report for details.
CLOSE - Issue template ignored
Source
picture Bizarrus
👍10

Most helpful comment

As explained in #2355 and this issue (again). We have updated request which had a dependency on heok. However one of our dependencies (node-gyp) is also locked to an older version of request because they too cannot break backward compatibility.

There is an open PR (linked above) to bump that dependency as we did to a version of request that removes hoek whilst maintaining BC.

All of this information was present in the issues you _read_. Please direct your enthusiasm at the node-gyp PR linked above.

picture xzyfer on 10 Jul 2018
👍5

All 9 comments

See https://github.com/nodejs/node-gyp/pull/1492

xzyfer picture xzyfer on 9 Jul 2018
1

I don't know what I'm doing wrong but I keep getting the error

PC-006% npm i -D node-sass
npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://nodesecurity.io/advisories?search=hoek&version=2.16.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

I deleted node_modules folder, package-lock.json and the cache folder.
At every install the "broken" hoek version is retrieved.
I tried on Windows and on WSL Ubuntu - no difference.

bardware picture bardware on 9 Jul 2018

What version are you running? This seems like a duplicate of #2355 which is resolved by updating to 4.9.1

nschonni picture nschonni on 10 Jul 2018

@bardware the answer is literally in the comment above yours. Please read issues before posting.

xzyfer picture xzyfer on 10 Jul 2018

Please believe me, I'm following this issue for quite some time, as github keeps notifying me about this. I read issues; i posted on 2355.
It is my understanding and expectation version 4.9.1 changed dependencies and rid hoek.
When I call npm i -D node-sass I expect it to install the latest/fixed ("silenced") version.

bardware picture bardware on 10 Jul 2018

As explained in #2355 and this issue (again). We have updated request which had a dependency on heok. However one of our dependencies (node-gyp) is also locked to an older version of request because they too cannot break backward compatibility.

There is an open PR (linked above) to bump that dependency as we did to a version of request that removes hoek whilst maintaining BC.

All of this information was present in the issues you _read_. Please direct your enthusiasm at the node-gyp PR linked above.

xzyfer picture xzyfer on 10 Jul 2018
👍5

Neither both v4.7.x (suggest in the other issue although v4.7.0 doesn't exist) and v4.9.1 fixes this issue. I still get the 4 moderate severity vulnerabilities.
None of the solutions in #2355 work.

Hopefully the node-gyp team will merge the PR nodejs/node-gyp#1492 and this should be easier to fix.

Berkmann18 picture Berkmann18 on 22 Jul 2018

@nschonni Why did you closed this issue which is still a problem?

Berkmann18 picture Berkmann18 on 23 Jul 2018
👍1

It's closed because there is nothing we can do. We have summarized the issue multiple times. People insist on not bothering to read the issue and post their opinion.

There is no further discussion to had on this topic. It's out of our control. Read the prior couple comments.

xzyfer picture xzyfer on 24 Jul 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

robcalcroft picture robcalcroft  路  40Comments
ghost picture ghost  路  38Comments
trisquel87 picture trisquel87  路  37Comments
jbruni picture jbruni  路  42Comments
tleunen picture tleunen  路  58Comments