Hawk dependency causes security risk

[lightkraken]

I recently ran a Node Security scan on a project that uses Request and found a security issue related to the version of Hawk (and subsequently Hoek) that Request is using.

request@2.83.0 > hawk@6.0.2 > hoek@4.2.0

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439

[KittyGiraudel]

Yup! Same one, with different path (for some reason…?):

request@2.83.0 > hawk@3.1.3 > hoek@2.16.3

[andreasvoigt]

Latest hawk version is 7.0.7 which uses hoek@5.x.x.
Updating to that version would fix the problem.

[erik-beus]

This is also an issue with earlier releases. We use node-sass which uses request ~2.79.0 that uses hawk@3.1.3. Would it be possible to patch earlier releases with the latest version of hawk as well?
Otherwise I will open an issue in the node-sass repo to upgrade their version of request.

Btw hoek@4.2.1 has a fix for the security issue (see https://github.com/hapijs/hoek/pull/231/files)
I believe that solves the issue for hawk@6.0.2 since it uses hoek@4.x.x?

[ferrao]

Bcrypt, with more than half a million downloads last month according to npm is also vulnerable to the Prototype Pollution Attack due to bcrypt@1.0.3 > node-pre-gyp@0.6.36 > request@2.83.0 > hawk@6.0.2 > hoek@4.2.0

[erik-beus]

@ferrao there is an open issue in node-pre-gyp for this mapbox/node-pre-gyp#346