This repository was archived by the owner on Jul 24, 2024. It is now read-only.
This repository was archived by the owner on Jul 24, 2024. It is now read-only.
Node SASS security vulnerability in hoek dependency #2262
Description
Node Security Platform is reporting a vulnerability in hoek@2.16.3, which is required through several dependencies by Node SASS.
To reproduce:
npm install -g nsp
npm install --save node-sass
nsp check
Output:
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Prototype pollution attack │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ hoek │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 4 (Medium) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ cohear@0.0.0 > node-sass@4.7.2 > request@2.79.0 > hawk@3.1.3 > │
│ │ hoek@2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/566 │
└────────────┴────────────────────────────────────────────────────────────────────┘
- NPM version: 5.6.0
- Node version: v8.9.4
- Node Process:
{
http_parser: '2.7.0',
node: '8.9.4',
v8: '6.1.534.50',
uv: '1.15.0',
zlib: '1.2.11',
ares: '1.10.1-DEV',
modules: '57',
nghttp2: '1.25.0',
openssl: '1.0.2n',
icu: '59.1',
unicode: '9.0',
cldr: '31.0.1',
tz: '2017b'
}
- Node Platform : darwin
- Node architecture: x64
- node-sass version:
node-sass 4.7.2 (Wrapper) [JavaScript]
libsass 3.5.0.beta.2 (Sass Compiler) [C/C++]
- npm node-sass versions: node-sass@4.7.2